NIS2 is the next major regulation after GDPR and NIS(1) that organizations need to contend with. Our goal is to shed light on this new directive with a realistic perspective, to determine its applicability to our average SME customer, and to explore how we can assist in compliance.

Companies in critical sectors such as chemicals, pharmaceuticals, energy, finance, and drinking and wastewater fall under the NIS2 directive if they have at least 50 employees or an annual turnover exceeding ten million euros. In total, Europe has identified 18 ‘critical’ sectors for the economy and security. It is estimated by the VBO that around 2,000 companies in our country will be subject to the new regulations (Source: Tijd.be).

The directive imposes numerous obligations on these companies regarding cyber risk awareness, risk management, business continuity, and reporting. Failure to comply may result in hefty fines, and there is also a risk that company directors could be held personally liable.

Fortunately, there is a handy scoping tool that allows you to quickly determine whether or not you need to comply by answering a few questions about your organization. This method is more efficient than delving into all the rules and exceptions, so we highly recommend using it.

There is an important factor to consider. As a supplier to an NIS2 entity, you may be contractually required to implement cybersecurity measures because NIS2 entities must also manage the cybersecurity of their supply chains. The Center for Cybersecurity Belgium recommends implementing at least the ‘CyberFundamentals Basic’ level of security, but a higher level may be contractually imposed.

Even if you do not yet need to fully comply with the latest version of the NIS2 directive, it is a good idea to be proactive. This way, you will have a digital advantage when your organization needs to become compliant. Implementing such extensive cybersecurity measures is not something you can do overnight.

If your company falls under the directive, it is crucial to start working on all the obligations as soon as possible. The law comes into effect on October 18, 2024. All NIS2 entities must register on Safeonweb@Work:

• Entities in the digital sectors of the law must register by December 18, 2024.
• All other NIS2 entities must register by March 18, 2025.

The law lists 11 minimum measures that every NIS2 entity must implement:

• Risk analysis and information systems security policy
• Incident handling
• Business continuity, including backup management, emergency plans, and crisis management
• Supply chain security, including security-related aspects of relationships between each entity and its direct suppliers or service providers
• Security in the acquisition, development, and maintenance of network and information systems, including vulnerability response and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures regarding the use of cryptography and, where applicable, encryption
• Personnel security, access policy, and asset management
• Where appropriate, use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communication, and secure emergency communication systems within the entity
• A policy for coordinated vulnerability disclosure

To facilitate the practical implementation of these measures, the Center for Cybersecurity Belgium advises using the CyberFundamentals (CyFun®) Framework. Safeonweb provides a simple tool to determine the advised level and associated requirements. You can select your sector via the tabs at the bottom and then set the size of your organization. This will show you the recommended level (Basic, Important, Essential).

Safeonweb provides a guide with measures for each level, which is also available for free download. You can try to implement these yourself or contact your IT partner.

Essential entities must achieve the Basic or Important assurance level by 18/04/2026, with final certification required by 18/04/2027. Essential entities must have their implementation regularly reviewed and assessed by a third party. This can be attested through a CyFun® certification awarded by an accredited and authorized conformity assessment body (CAB).

Furthermore, as part of their incident response plan, all NIS2 entities must notify the Center for Cybersecurity Belgium (CCB) of significant incidents starting from October 18, 2024. A significant incident is any incident that has a substantial impact on the delivery of their services and that:

• Causes or may cause serious operational disruption of services or financial losses for the entity involved;
• Affects or may affect other natural or legal persons by causing significant material or immaterial damage.

Boards of directors and management must be trained in cybersecurity to understand and fulfill their responsibilities and liabilities. If the entity fails to meet its risk management obligations, the governing body is liable.

Basic knowledge of risk management and cybersecurity is essential for making management decisions regarding cybersecurity strategies and measures at the board level. It is recommended to schedule this management training before April 2025.

In addition to management training, employee training is always a part of cybersecurity measures.

The field of cybersecurity evolves rapidly. Just a few years ago, it was unthinkable that Belgian SMEs might need to comply with the so-called NIS legislation. As a result, it is very likely that the environments set up back then no longer meet today’s or upcoming standards. We offer various types of audits to (re)assess your IT environment and identify weak points. Our approach is always tailored to the specific situation and needs of your SME. No general theories and principles, but practical advice you can implement.