On May 13, 2022, the European Parliament and the Council provisionally agreed on the NIS2 Directive, fortifying a high common level of cybersecurity across the European Union. On November 28, the final text was approved in Council. The directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following this publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
The NIS2 Directive responds to Europe's increased exposure to cyber threats by improving the public and private sectors' resilience and incident response capacities and the European Union as a whole. According to the European Council's press release, the revised directive aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states, as the NIS directive implementation proved to be difficult, resulting in fragmentation at various levels across the internal market.
To achieve this, NIS 2 directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state.
The NIS 2 directive enlarges its scope and forces more industry verticals to strengthen their cybersecurity risk and incident management measures. The adapted directive introduces more draconian supervisory measures for national authorities, harmonizes sanctions regimes, and improves and stimulates information sharing and participation in cyber crisis management across the member states of the European Union.
A quote from MEP Bart Groothuis proves the need for this adaptation: "Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments, and society more resilient to hostile cyber operations. This European directive is going tohelp around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale," he said.
On November 10, 2022, the MEPs adopted the text with 577 votes to 6, with 31 abstentions. Now that the Parliament vote is completed and approved, the Council has to formally adopt the law before it is published in the EU's Official Journal.
Member States will have 21 months to transpose NIS2 into national law. It is unlikely to be adopted and formally transposed into all EU Member State's national laws until the end of 2024 at the earliest.
Organizations should review the scope of NIS2 and whether their businesses fall within that scope. If an organization concludes that it is likely to fall within the scope of the new legislation, the organization should consider the organizational, financial, and technical steps that will be required to prepare for complying with NIS2.
In Belgium, the CCB is appointed as the authority.
The following sectors will be included:
The Orange Cyberdefense audit and business consulting division can help organizations with its NIS 2 directive road to compliance. We can determine whether you must comply, craft a business case, set up your tailored roadmap, and help you implement the necessary measures.
Depending on the state of your organization's security maturity, the below-mentioned topics are key focus points for improvement:
Working on these topics will enhance your cybersecurity resilience and ensure NIS2 directive complian
Need advice? Contact our Head of Advisory Jan De Bondt.