The NIS2 has been a hot topic in the last 12 months and has frequently featured in blogs and LinkendIn posts. Yet, we had to wait as the EU NIS 2 Directive was translated into national legislation to learn what exactly it means for us. So when the draft version of the Dutch national legislation became available for review as part of an internet consultation, I jumped right on it.
Let’s start with a quick reminder of the purpose of the legislation which is about ‘maintaining critical socially or economically important functions or activities, aimed at increasing cybersecurity by setting rules’. These rules aim to:
- Control risks regarding the security of information systems
- Preventing incidents
- Limiting negative impact of incidents
- Obtaining and providing information about incidents, near misses, cyber threats and vulnerabilities.
Yet in my opinion, the legislation strongly underlines the shared responsibility to fight cyber criminals, but may not trigger the effect needed with organizations that lack intrinsic motivation to do what needs to be done and secure their information systems properly.
Shared responsibility to fight cyber threats to society
On the positive side, I am happy to see the obligation of the minister to make sure there is international collaboration within the EU and that the CSIRT is responsible for both national and international coordination and alignment regarding cyber security threats and insights.
This underlines the notion that cyber security risks are not merely a business risk for individual organizations and companies but is in fact a risk for society as a whole. We can no longer expect that everyone is fighting their own cyber battle, we need to unite and all do our part.
Part of this means the CSIRT will, on top of their coordination activities, be monitoring cyber threats, will issue early warnings to entities at risk, and offer support during incidents.
The essential and important entities (which is us) are also expected to play their part by implementing technical, operational and organizational measures to control their security risks.
Not tangible enough to trigger real action
Unfortunately the legislation remains rather vague on what these measures should be. Only one article is allocated to this and describe the measures should be risk-based and take along international standards that may be applicable. But, this leaves a lot of room for interpretation and will not sufficiently motivate and guide entities to do what is needed.
I was expecting the legislator to be more concrete regarding the security measures that were expected. For example, a reference to the apply or explain policies of the NSCS or the internationally recognized ISO27001 standard.
Without this level of concreteness it will be interesting to see how the CSIRT and other authorities will supervise and enforce compliance. They have the authority to conduct security scans and audits to check compliance but without clear criteria we have to wait to see how effective this will be.
Consequences of non-compliance: High impact, but low likelihood?
The consequences of non-compliance could in theory be severe, including:
- Forcing your organization to resolve an issue within a certain time frame
- The suspension of your organization's certification or permit
- The suspension of members of your board of directors
- Fines up to 10 million or 2% of global annual revenue
Interestingly government institutions are excluded from the first 3 and only have to worry about fines.
Without clear compliance criteria, the severe consequences will not be enough to motivate all essential and important entities to do their part and implement sufficient security measures. I expect they will probably wait for case law to determine the urgency rather than getting right to it. This will either slow down the impact or limit the impact of NIS2 altogether.
Read more from Nadine.
