In October 2024, the European NIS2 cybersecurity directive will have to be transposed into Belgian law. All large and medium-sized companies will have to comply with these obligations or face heavy fines. The good news is that NRB can help you make your transition to NIS2 with complete peace of mind.
Cybersecurity is a major concern for both public and private enterprises, given the magnitude of the financial and reputational risks of an online attack. The European Union has therefore decided to strengthen its regulatory framework in the fight against cybercrime by adopting the NIS2 directive.
In this article, you will find everything you need to know about the NIS2 directive.
Contact our Cybersecurity team
What is the NIS2 directive?
This directive is the successor to NIS1, often considered to be the world’s very first cybersecurity legislation. Numerous technological developments have forced the European Parliament to update these regulations, which are now enshrined in the NIS2 directive. Every Member State, including Belgium, must now transpose the obligations listed in the directive into its national legislation by 17 October 2024 at the latest.
What are the objectives of the NIS2 directive?
The NIS2 directive strives to achieve a number of objectives to enhance the effectiveness of European cybersecurity, in particular better cooperation between the Member States. We have listed the changes that will have a direct impact on you.
1 Drastic increase in the number of companies involved
This is certainly the main change. The previous NIS directive only concerned around a hundred Belgian entities spread across six sectors. The NIS2 directive involves companies in twelve additional sectors (public administration, public electronic communications service providers, waste management, aerospace, chemicals, postal services, the agri-food supply chain, digital service platforms) that employ more than 50 staff or achieve annual sales of EUR 10 million. In total, this is estimated to mean around 2500 companies in Belgium.
2 Obligation for companies to report a significant incident
The NIS2 directive requires companies to report every attack in three precise steps:
- Alert the authorities within 24 hours of detecting an incident
- Make a full declaration concerning the incident within 72 hours
- Write a full and final report within one month of the incident
3 Heavy financial penalties for non-compliance with the regulations
A company that fails to give notification of an incident may face heavy financial sanctions.
For companies considered essential (energy, transport, banking, finance, drinking or waste water, digital infrastructure, health, aerospace, public administration), the fine may be as high as EUR 10 million or at least 2% of annual worldwide sales for the previous fiscal year.
For companies considered important (postal services, waste management, the chemical industry, agrifood, digital supplies), the fine may be as high as EUR 7 million or at least 1.4% of annual worldwide sales for the previous fiscal year.
How can NRB help companies comply with the NIS2 directive?
As an ISO 27001-certified company, NRB can assist your company to make the transition to NIS2. The plan can be broken down into 5 points:
- Cyberattack management: thanks to the combination of a SIEM platform and analysts, the SOC (Security Operations Center) detects potential attacks on your data and your infrastructure.
- Business continuity: the Business Continuity Plan (BCP) describes the business continuity strategy adopted to address, in order of priority, identified risks, classified according to the severity of their effects and their plausibility. The plan ensures that personnel and assets are protected and able to function rapidly in the event of an attack.
- Development and maintenance security: if you want to develop an application, we make sure you comply with the prescribed security measures. Our teams check that your code complies with OWASP security standards and that deployment proceeds as planned.
- Network and information systems: our teams assess your company’s vulnerability using penetration tests and attack simulations, in particular. This exercise offers a wealth of information concerning the security of your data.
- Testing and assessing the measures’ effectiveness: our experts analyze all the measures taken and assess the maturity of your security process. This last check determines whether your company is protected against online attacks.
Please do contact us for further information.
Contact our Cybersecurity team