NIS2 Advisory

Following review of NIS. it was clear the existing NIS was not effective for a number of reasons. Primarily it was due to how each country interpreted and imposed the law, for example the how NIS was interpreted in Belgium and Netherlands, two neighbours was very different making near impossible to impose fines, and which ended up creating an ineffective regulatory patchwork.

In short, it should be YES, but this is best answered with a quote from Dutch MEP Bart Groothuis, an advocate of NIS2. “Cybercrime doubled in 2019, ransomeware tripled in 2020 and yet our companies and institutions are spending 41% less on cyber security than in the US. We must strengthen the EU’s cybersecurity and create the tools to handle cyber incidents together when they occur. We cannot stop all cybercrime from occurring, but we can protect ourselves better than before and better than others. This new legislation makes the EU a safe place to do business”

The simple answer is yes. If you hold current accreditation for ISO 27001 then you will be deemed to be compliant, with one caveat, that your ISO 27001 scope matches that of the NIS2 requirement. So if only part of your business is certified to ISO 27001 then seek advice. 

No. NIS2 is intended for medium and large organisations, so if you are a small or micro business then you are not in scope. NIS2 applies to “essential” and “important” organisations and defines a minimum size as those that (i) employ 250 people or more, and (ii) annual turnover of 50M Euros (and/or) balance sheet standing exceeding 43M Euro. If that’s not you, then you are not in scope.

It should also be noted that smaller entities with a high security risk profile may be deemed in scope by Member States.

Article 20 requires Board and executive cyber risk accountability with cyber awareness training mandated top management to enable informed decision making.

Penalties are in the same region as those imposed by the EU for GDPR. For repercussions of NIS2 non-compliance fines can reach up to 10M Euros or 2% of global turnover for essential entities. For important entities those figures are 700K Euros or 1.4% of global turnover.

For clarity, fines for data breach of PII cannot be imposed twice under GDPR and again under NIS2, if your business were able to survive a single penalty in the first place.

Possibly the biggest change in NIS2 is for accountability of top management. Penalties include sanctions against individuals responsible (top management), making public the names of those responsible, temporary ban from management positions, and in the case of gross negligence authorities can make individuals personally liable carrying significant fines up to 1.4 or 2% for essential entities.

Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Waste Water, Digital Infrastruture, Pblic Administration, and Space.

Postal & Courier Services, Waste Management, Manufacturem production and distribution of chemicals, Food production processing and distribution, Manufacturing, and Digital providers.

NIS2 requires entities to includes technical and process controls within the following areas:

• Risk Analysis
• IS Policies
• Incident Handling processes
• Business Continuity
• Cybersecurity Training
• Computer Hygiene
• Cryptography and related policies and processes
• Access Control
• Asset Management
  • Policies
  • Inventory of Assets
• Security of Network and Information Systems