With 50,000 cases, the federal police have never recorded as many computer fraud and hacking incidents as in the first half of 2022. At this rate, it will unfortunately be a record year. In ten years, the figures have tripled and cybercrime affects every organisation, public or private, large or small. The new NIS 2 directive therefore intends to protect more of our country's essential services. From 2023 onwards, thousands of Belgian and European organisations will be faced with a colossal task of analysis, protection and audit. Are you ready?
With its Network Information Security (NIS) Directive, which has been in force since 2016, the EU has already tried to stem the tide of cybercrime and protect about a dozen essential sectors in each of the EU countries. These include healthcare, transport, finance, energy, utilities and the digital infrastructure. Since then, major players have been required to report security incidents, and to implement the necessary security measures to reduce exposure to cyber-risks.
In view of the above-mentioned recent developments in cybercrime, and the ever-increasing importance of information systems in our digitalised society, the EU was forced to extend the scope of its directive to include more sectors in the list of critical infrastructures and services. NIS 2 was passed in the European Parliament at the end of 2022 and will already enter into force in the second half of next year.
By widening its scope of applicability, NIS2 now goes from a few hundred to several thousand entities concerned to provide more protection. These sectors include those covered by NIS1 (some of which have been expanded), but also spatial and postal services, pharmaceutical and medical product manufacturers, digital services such as data centres, public administration, food, telecommunications services, as well as waste water and waste management.
However, it remains for the states to validate or extend this scope more ambitiously, through national legislation. Member States and the EU will be able to impose the use of a specific certification in certain sectors for certain products, services or processes, in order to prove or ensure compliance with the NIS2 standard. Belgium has chosen the ISO27001 implementation framework to comply with the directive.
Internal and external audits
To be compliant, critical entities or those operating in these sectors will have to deploy an Information Security Management System (ISMS), define governance and security scopes. Then, they will have to monitor the security of the networks and information systems related to the provision of its service through internal and external audits, as well as analyse the potential risks. This risk analysis and the action plan to be put in place should be communicated to the sector authority designated for its support.
If the company does not wish to be certified to ISO27001, the sector authority can still request the results of annual internal audits, impose an external audit every 3 years or request more information to ensure compliance. It is important to understand that these audits require skills aligned with the sector concerned. Indeed, a cyber-attack on a water company will have a different scope than on an electricity supplier or a bank.
While the regulation is more collaborative than penal, Member States will still be allowed to issue warnings, fines or administrative penalties for non-compliance. These are not defined at this stage, but experts expect them to amount to one percent of turnover or potentially hundreds of thousands of euros.
Notifications and penalties
In addition, entities will also be required to notify major cybersecurity incidents they encounter. NIS2 is stricter in this respect: alerts must now be reported within 24 to 72 hours, whereas the first directive was limited to "best efforts".
The extension of the NIS directive has an undeniable impact. Considering the pervasive threats today, it is in the interest of organisations to get their feet wet. As a reminder, the cybersecurity market has a shortage of experts. It will therefore be necessary to anticipate. An integrated and coherent security strategy will in any case always have a return on investment.