The European NIS directive became Belgian law on May 3d. It provides legal measures to boost the security of network and information systems (NIS) that are of general interest for public security.
By now, most companies should know whether they have to comply with this NIS regulation or not. It are the sectoral authorities that should inform them. Sectors that are vital for our economy and society, and that are highly dependent on ICT, such as financial institutions, energy, transport, drinking water, healthcare, and digital infrastructure all have to comply with this legislation.
The starting point of this NIS law is to guarantee a high level of cybersecurity for critical network and information systems in order to ensure the continuity and public security of critical social and economic services.
Companies from the relevant sectors will, therefore, have to take the appropriate cybersecurity measures and report serious incidents to the relevant national authority.
The Belgian legislative proposal for implementation has a bold side to it. It refers to ISO27001 or similar, to impose a minimum expectation. The companies that have to comply with this law, have to take the following measures:
The good news is that the Belgian bill requires an annual internal audit and a three-yearly external audit. This is a watered-down version of the ISO approach where an annual surveillance audit is imposed after certification. External parties can complete both the internal and the external audit.
In other words: as a provider, you do not immediately have to proceed to an official ISO certification, but in the end, you will have to meet all the requirements. Thus, as the step towards a full ISO certification is not that big anymore, I would suggest just to get certified!
The advantage of an ISO certification? This is an external, official and formal confirmation that information security is running according to the expected agreements.
In accordance with the GDPR, the NIS law provides for both administrative and criminal fines that can be imposed. Besides, the competent authorities will have far-reaching powers to monitor and monitor compliance with the NIS law.