SoftwareOne, a leading global provider of software and cloud solutions, is helping organisations comply with the new ‘Network and Information Security’ directive, also known as NIS2. Organisations that are essential or vital to society must comply with the new directive, and this is proving to be no easy task. Moreover, there is quite a lot of information ‘noise’ and untruths being shared. SoftwareOne identifies five common misunderstandings, and describes how things really are.
1 – NIS2 is a job for IT
This is incorrect. NIS2 affects the entire organisation. The IT department is jointly responsible for carrying out risk management and the associated technology. The board and management must watch over the continuity of the organisation and information systems. They are tasked with drafting, approving, monitoring and budgeting policies. It also affects, for example, the HR department, where not only security awareness training is arranged, but also the timely transmission of exit notifications so that system privileges are immediately revoked.
2 – With NIS2, the government knows everything about my organisation
No, that’s not true. From NIS2, the government has designated various expertise centres, such as CERT (Computer Emergency Response Team), among others, to share knowledge and provide advice. They also act as hotlines. Only when a NIS2 incident is identified does the reporting obligation apply. Then your organisation has to issue as complete a technically detailed report as possible. The aim is to properly assess the impact of the incident, risks to our society and economic traffic. So it is only about technical information.
3 – Implementing NIS2 takes a lot of time and money
That’s possible, but it doesn’t have to. If your organisation already works according to an IT-related ISO or NEN standard, this gives you a big head start. In that case, the focus is mainly on the technical set-up and the NIS2 Reporting Obligation. Many organisations already have a fine IT environment, but will need to allocate extra budget to increase their security level. Think additional licences, redundant technology, implementation costs but also awareness training and simulation tests.
If the organisation does not have to comply with an IT-related ISO or NEN standard, it is still important to document the processes and technical set-up properly and evaluate them regularly.
4 – NIS2 leads to fines
Yes, if NIS2 is not fully set up by the end of October 2024, the organisation will be in breach. This can result in fines ranging from a few per cent of annual turnover to many millions. If advice from the CERT is not followed, warnings follow and fines are increased. Besides a fine, personal liability also applies if the officer responsible repeatedly fails to make improvements.
5 – NIS2 is not convenient now, we will wait for NIS3
This is very unwise. With NIS2, European Member States have sent a clear signal that cyber risks cannot be underestimated and cause greater damage. It is expected that a further NIS2 enhancement will be implemented within a few years. This will then possibly be called NIS3. The Netherlands, as an independent member state within the EU, can implement more emphasis or urgency on specific parts, as the Netherlands did with the AVG. To avoid any backlog, the advice is to start working seriously on NIS2.
Dennis van Leeuwen, solutions specialist Digital Workplace at SoftwareOne: “NIS2 aims to improve Europe’s digital and economic resilience. The directive creates quite a few changes in the field of cybersecurity. We help organisations comply with the new directive and find that there are misconceptions here and there. It is important to get good information. It’s not just government departments, healthcare institutions or water management companies, but also energy providers and companies operating in the financial or transport sector, for example. Failure to comply with NIS2 puts you at risk of large fines and also makes you personally liable. So it is essential to be well informed.”