Update on NIS2

Srity issued an updated presentation on the NIS 2 Directive, covering several key aspects of the updated cybersecurity legislation in the EU. Here is a summary of the main points:

The NIS 2 Directive builds on the original 2016 NIS Directive, aiming to enhance cybersecurity across the EU by broadening its scope to include more industries and introducing stricter requirements. The main objectives include improving Member States’ preparedness, fostering cooperation among Member States, and promoting a culture of security across vital sectors such as energy, transport, healthcare, and digital infrastructure.

The timeline for the NIS 2 Directive includes its publication in 2022, with a deadline for transposition into national law by October 2024. In Belgium, the process involves several steps, including the setup of a working group, draft law adoption, and parliamentary review, with final adoption expected by October 2024.

Entities affected by NIS 2 are categorized based on their activity and size. Essentials and Important entities must implement various cybersecurity measures, such as risk analysis, incident handling, business continuity, supply chain security, and the use of multi-factor authentication.

Reporting obligations under Article 23 require entities to notify their CSIRT or competent authority of significant incidents without undue delay. The reporting timeline includes an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month.

Authorities will conduct controls on entities, with essential entities subject to both ex-ante and ex-post supervision, while important entities face ex-post supervision only. Potential fines for non-compliance can reach up to EUR 10 million or 2% of total worldwide annual turnover for essential entities, and EUR 7 million or 1.4% for important entities.

The next steps for interested customers include taking a NIS2 assessment, confirming if they are in scope of NIS 2, informing senior management of regulatory requirements, and ensuring compliance with Articles 21 and 23 through specific control assessments and incident management processes.

Please feel free to contact us to receive the presentation and for further NIS 2 explanations tailored to your needs.