What does the introduction of NIS2 mean for your company?

The second Network and Information Security Directive (the ‘NIS2 Directive’), is the successor to the NIS Directive adopted by the European Union in 2016. The NIS Directives aim to strengthen the EU Member States’ level of collective cybersecurity by increasing the enforcement requirements in this area for critical infrastructure sectors.

The NIS2 Law will enter into force in Belgium on 18 October 2024, reinforcing cybersecurity measures, incident management and the supervision of entities providing services that are essential for maintaining critical social or economic activities. The law will also improve the coordination of government policy in the field of cybersecurity. With it, the federal legislators will implement the provisions of the second NIS2 Directive, thus continuing and extending the provisions of the previous NIS directive on cybersecurity, which will be repealed.

An entity falls within the Directive’s scope if it is active in any of the sectors, subsectors or types of services listed in 'sectors of high criticality’ or ‘other critical sectors’ and is of a certain size.

In principle, the Directive concerns large and medium-sized enterprises (enterprises with more than 50 employees and more than 10 million euros in annual turnover). Small and micro enterprises fall outside its scope unless explicitly stated otherwise.

Entities falling within the scope of the NIS2 Law are required to take ‘appropriate and proportionate’ measures to secure their network and information systems, to prevent and manage cyber threats and incidents and to limit the consequences of incidents for their customers and for other services. They are required, among other things, to undertake risk management measures and risk assessments and provide training in cybersecurity, security obligations for personnel and so on.

In addition, such entities have a reporting obligation in the event of serious and significant incidents. In the event of a serious incident, the entity must immediately issue a warning: this must be done within 24 hours of becoming aware of the incident at the latest. Official notification must also be given within 72 hours of becoming aware of the incident, and entities must submit a final report to the supervisory authorities within one month of the definitive response to the incident.

In addition to the mandatory notification of serious and significant incidents by essential and important entities, there is the possibility of voluntary reporting of non-significant incidents or of significant incidents, cyber threats or near-miss incidents by entities not subject to the NIS2 Law.

The inspection service of the national cybersecurity authority, the Centre for Cybersecurity Belgium (CCB), is responsible for carrying out checks and ensuring that essential and important entities are taking appropriate measures to manage cybersecurity risks and complying with the rules on incident notification.

For essential entities, a mandatory conformity assessment by the CCB is proposed. Important entities may also undergo a conformity assessment; this will be on a voluntary basis as such entities are only required to undergo checks after an incident.

All entities that fall within the scope of the law are required to register with the CCB and provide accurate information about their activities.

There are two kinds of sanction: administrative sanctions and fines. The fines vary depending on whether the business is essential or important:

• For businesses classified as essential, there are potential fines of up to 10 million euros or 2% of their total annual worldwide turnover in the preceding financial year.
• For businesses considered to be important, the maximum fines are 7 million euros or 1.4% of their total annual worldwide turnover in the preceding financial year.

It is up to the governing bodies or managers of essential and important entities to approve cybersecurity risk management measures and monitor their implementation, as they can be held liable for any breaches.

To ensure that they understand the measures they approve, members of the governing bodies of essential and important entities must attend cybersecurity training and provide such training to their employees on a regular basis. Managers must acquire sufficient knowledge and skills to identify risks to their organisation and to be able to assess cybersecurity measures and how they affect their organisation.

Possible measures include warnings, recommendations, supervision, binding instructions, targeted and ad hoc inspections, disclosure obligations and administrative fines.

Arranging cyber insurance is an important part of the precautionary measures that the entities concerned need to take for NIS2.

Before arranging cyber insurance, a company must have a number of essential elements of cybersecurity (such as multi-factor authentication and offline backups) in place. This means that it must carry out a thorough risk assessment and take appropriate measures in order to be able to arrange the insurance – which is good for the company’s cyber resilience.

In addition, the insurance will enable companies to seek assistance from experts in the event of an incident, so that it can be dealt with as efficiently and quickly as possible. Cyber ​​insurance thus both provides financial protection and ensures business continuity.

Given that specific conditions are imposed on the directors of the entities concerned, the importance of arranging directors’ liability insurance should not be underestimated.

We do not expect any immediate problems with cover under either type of policy due to the introduction of NIS2. Insurers will most likely wait and see whether the changes have any effects.