NIS2: how to keep your organisation digitally fit

Why these new rules?

The world around us is changing. We are more digitally connected than ever before. That's convenient, but it also poses a risk. If something goes wrong at one company due to a hack, the entire chain can be affected. Think of a transport company that can't drive, leaving shops empty. The new law ensures that we all set the same standards for security. The goal? To ensure that important services, such as our electricity, water and healthcare, continue to function at all times.

If you want to know where your organisation stands, here are five points that matter:

1. The registration requirement: putting yourself on the map

Does your organisation fall under the law? Then you are required to register in a central register. In the Netherlands, you can do this at the National Cyber Security Centre (NCSC). This gives the government insight into which organisations are essential and who needs support in the event of major digital threats.

2. Duty of care: getting your digital house in order

The duty of care is the most important task. You must take demonstrable measures to protect your networks and systems. This includes:

• Conducting a risk analysis: what could go wrong?
• Making plans for business continuity: how do we keep running after a hack?
• The security of your supply chain: how securely do your suppliers work?

3. The reporting obligation: speed is of the essence

In the event of a major incident that could disrupt your services, you must not wait. You have a reporting obligation that proceeds in steps:

• Within 24 hours: An initial warning to the NCSC, which shares this with the supervisory authority and the CSIRT (Computer Security Incident Response Team) designated for your organisation.
• Within 72 hours: A more detailed report with further information.
• After one month: A final report on exactly what happened and what you have learned.

4. Training for directors: knowledge at the top

This is a crucial point: the law requires directors to undergo training. Why? Because you need to be able to recognise and assess cybersecurity risks. You don't need to become a technician, but you do need to be able to ask the right questions to your IT department or CISO. After all, the board is ultimately responsible for approving security measures.

5. Supervision and enforcement: the inspector at the door

A common misconception is that the National Inspectorate for Digital Infrastructure (RDI) is the only supervisory authority. This is not true. The Netherlands uses a “sectoral approach”. Who your supervisory authority is depends on your sector:

• For healthcare, for example, it is the Health and Youth Care Inspectorate (IGJ).
• For transport and drinking water, it is the Human Environment and Transport Inspectorate (ILT).
• The RDI supervises, among other things, the digital infrastructure and the manufacturing industry.

Note the difference: For “essential” companies, supervision is proactive (in advance and regularly) and reactive. For “important” companies, supervision is reactive (usually only after an incident or complaint).

Does this also apply to you?

The law applies to many different sectors. Think of energy and transport, but also food production or financial services. It is a misconception that the law only applies to large companies. Even as a smaller company, you may fall under the law if your role in the chain is very important.

Tip: On the website digitaleoverheid.nl, you will find tools to check whether your company belongs to this group.

Do you require assistance with NIS2 compliance? Please review our NIS2 services or contact us directly.