Is your organisation ready for the new cybersecurity obligations? (Part 3)

EU Directive 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the “NIS 2 Directive”) entered into force on 16 January 2023. The NIS2 Directive builds on the previous NIS1 Directive (2016/1148/EU) in order to provide a European framework for cybersecurity risk management measures. The NIS2 Directive significantly broadens the scope of the NIS1 Directive, including by expanding the categories of sectors and activities that will be subject to the cybersecurity obligations, imposing new cybersecurity risk-management measures and incident reporting obligations, strengthening the cooperation between Member States and adopting a stricter supervision and enforcement system.

In two previous Eubelius Flashes, we informed you about the publication of the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security and about the Royal Decree of 12 July 2019 that specified the application of certain rules. The Act and Royal Decree transposed the NIS1 Directive into Belgian legislation and introduced an obligation for the notification of incidents for organisations that offer an essential service, such as energy, healthcare or transport, and for organisations that offer digital services. The NIS2 Directive takes this obligation to a higher level and introduces several other significant changes to the NIS1 Directive.

Member States have until 17 October 2024 to transpose the NIS2 Directive into their respective national laws. Member States must adopt and publish the measures to comply with the NIS2 Directive and immediately inform the Commission thereof. The Member States must apply these measures from 18 October 2024 onwards. Furthermore, Member States must establish a list of essential and important entities by 17 April 2025 and must review and update that list on a regular basis and at least every two years.

Cyberincidents occur every day. Investing in good cybersecurity and follow-up pays off. Eubelius is happy to assist you with advice, preparation of security policies, training for your staff, audits, and your preparation for and approach to cyberincidents.

Do you want to read more about the NIS2 Directive? A more in-depth article is available to our clients in our Client Zone.