Introduction:
On December 27, 2022, the European Commission published the new NIS2 directive. This directive is the successor to the NIS1 directive from 2016, which, given the ever-increasing cyber threats and our dependence on the digital world, needed an update. The new directive aims to significantly expand its scope, but essentially retains the same objectives as its predecessor, namely (i) to encourage national authorities to pay sufficient attention to cybersecurity, (ii) to strengthen European cooperation between competent authorities, and (iii) imposing security measures on the main operators of the most sensitive sectors in society. Each Member State has until October 17, 2024 to implement the NIS2 directive into national law. The Belgian legislator complied with this by adopting the Belgian law implementing the NIS2 directive on April 18, 2024. The law will enter into force on October 18, 2024. So it is high time to review the biggest changes.
1. Expansion of the sectors and activities
As mentioned, the NIS2 directive significantly expands the scope of application. To determine whether an entity will be subject to cybersecurity obligations, two criteria are mainly considered: (i) it must be operate in one of the sectors and types of services listed in the annexes of the directive and (ii) it must be of a certain size.
The annexes to the directive distinguish between the “very critical sectors” on the one hand and “other critical sectors” on the other. Examples of very critical sectors include energy, transport or
drinking water. Other critical sectors can include postal and courier services, the manufacture and production of chemicals or foodstuffs.
For an entity to fall within the scope of the directive, it is not only required that it appears on the above-mentioned list, but also that it meets a certain size. It is required that an entity is a large or medium-sized enterprise, i.e. has more than 50 employees or more than 10 million euros annual turnover. Consequently, with some specific exceptions, small and micro enterprises with less than 50 employees or with an annual turnover of less than EUR 10 million are in any case excluded from the scope of the directive.
Under the NIS1 directive, a distinction was made between “providers of essential services” and “digital service providers”. This distinction is replaced by a distinction between “essential” and “important” entities. This distinction will be made automatically based on the size and sector in which the entity concerned operates. In addition, national authorities can also specifically place entities in one category or another.
2. Obligations for essential and important entities
The NIS2 directive obliges these essential and important entities to adopt new cybersecurity measures. These measures should be appropriate and proportionate to reduce the risks to the security of their network and information systems and limit the possible consequences of incidents for the consumers of their products and services.
One of these obligations is that the members of the administrative body must follow a training course on cybersecurity.
Besides taking appropriate measures, the NIS2 directive also imposes reporting obligations. These include the obligation for essential and important entities to report any significant incident to the competent national authority (for Belgium CCB- Centre for Cybersecurity Belgium).
3. Enhanced supervisory and enforcement system
The competent national authorities are authorised to take measures themselves, on the one hand, and to urge entities to take appropriate measures, on the other hand. This can vary from warnings and binding instructions to the imposition of administrative fines. For essential entities, these administrative fines can amount to up to 10 million euros or at least 2% of global annual turnover.
Despite the fact that the new legislation will only enter into force on October 18, 2024, it is advisable for entities that will clearly be subject to the new legislation to already take preparatory measures.
If you have additional questions or are unsure whether your company will be subject to the new legislation, do not hesitate to contact us so that we can review your situation together.
