What does the introduction of NIS2 mean for your company?

The second Network and Information Security Directive (the ‘NIS2 Directive’) entered into force on 18 October 2024. It is the successor to the NIS Directive adopted by the European Union in 2016. The NIS Directives aim to strengthen the EU Member States’ level of collective cyber security by increasing the enforcement requirements in this area for critical infrastructure sectors. The introduction of NIS2 represents a continuation and expansion of the previous NIS Directive on cyber security that has since been repealed.

As a result of NIS2, Belgium is tightening up cyber security measures, incident management and the supervision of entities providing services that are essential for maintaining critical social or economic activities. Tom Van Britsom: ‘Think of key sectors such as energy, transport, banking, healthcare, water, digital infrastructure or financial market infrastructure. For example, a haulage company is considered essential because it is responsible for the distribution of our food, such as transporting potatoes to the supermarket.’

Whether your company falls within the scope of the Directive depends not just on the sector in which you are active, but on the size of your company. As the business owner, it is up to you to make that assessment correctly. A company generally falls within the Directive’s scope if it is active in any of the sectors, subsectors or types of services listed as a ‘sector of high criticality’ or ‘other critical sector’ (see image below).

In principle, the Directive concerns large and medium-sized enterprises. These are companies with more than 50 employees and more than 10 million euros in annual turnover (see image below). Small and micro enterprises fall outside its scope unless explicitly stated otherwise.

In that is the case, you are obliged to take appropriate and proportionate security measures. This obligation is twofold:

• You are required, among other things, to undertake risk management measures and risk assessments and provide training in cyber security, security obligations for personnel and so on.
• You also have a reporting obligation in the event of serious and significant incidents.
  • In the event of a serious incident, you must immediately issue a warning: this must be done within 24 hours of becoming aware of the incident at the latest.
  • You must also give official notification within 72 hours of becoming aware of the incident,
  • and lastly you must submit a final report to the supervisory authorities within one month of the definitive response to the incident.

💡All enterprises that fall within the scope of the law are required to register with the Centre for Cybersecurity Belgium (CCB) and provide accurate information about their activities.

The inspection service of the national cyber security authority, the Centre for Cybersecurity Belgium (CCB), is responsible for carrying out checks:

• For essential entities, there is a mandatory conformity assessment by the CCB.
• Important entities may also undergo a conformity assessment on a voluntary basis. An inspection is only mandatory for them after an incident, but thorough preparation is advisable.

The sanctions vary greatly, from warnings, recommendations, supervision, binding instructions, targeted and ad hoc inspections through to disclosure obligations and administrative fines.

Here’s a quick summary of the most striking sanctions:

• Administrative sanctions and fines can be imposed. The fines vary depending on whether the business is essential or important. Administrative fines can be as high as 10 million euros or 2% of your total worldwide annual turnover.
• As a director, you can be held personally liable and banned from performing your duties. You can also be required to improve cyber security by having the management team or your employees attend cyber security training.

In the context of the precautionary measures that the companies concerned must take for NIS2, two insurance policies may stand out:

• Directors’ liability insurance: we are unable to identify any impact as yet, because no insurer currently excludes the consequences of NIS2.
• Cyber insurance: an NIS2 fine is an administrative fine, just like the GDPR fine, that penalises your security policy. Both kinds of fine can be covered within your cyber insurance.

Our wide-ranging services consist of four parts for optimal protection:

• Cyber insurance: we provide extensive and up-to-date customised cover with professional support in the event of an incident.
• Phishing training: we offer customised training courses to help you build your company’s ‘human firewall’.
• Cyber security workshop: during an interactive workshop, we guide you through every aspect of a realistic cyber incident so that your company passes the stress test. Recommended by and for CFOs!
• Business continuity plan and cyber incident response plan: we give you a hands-on step-by-step plan that you can follow during a cyber incident.