EN 
NL 
DE 
What is the NIS directive?
In Europe, a NIS (Network and Information Systems) directive has been drafted to contribute to a high common security level of network and information systems across the EU. Back in 2016, the NIS1 directive was published. It was particularly aimed at large companies and institutions that perform essential functions for society. Think of Power, Network and Water supply suppliers. They have been obliged for several years to take information security measures to increase cyber resilience.
NIS2
In May 2022, the European Commission agreed on a new version, the NIS2. In this version, the scope has been broadened for which this directive applies. Consider the critical products manufacturing industry, ICT service providers (MSP), but also all caregivers (think Hospitals and all other healthcare providers)
The European Commission writes;
"To cope with increasing cyber threats in Europe, the NIS 2 guideline now apply to medium and large entities from more sectors that are critical to the economy and society, including providers of public electronic communication services, digital services, wastewater and waste management, the manufacture of critical products, postal and courier services and government departments, both at central and regional level. It also covers more generally the healthcare, for example medical device manufacturers, given the increasing security threats that occurred during the corona pandemic. Expanding the scope of the new rules, by requiring more entities and sectors to take measures to manage cybersecurity risks, helps raise cybersecurity levels in Europe in the medium and long term. |
Source European Commission
Legislation
The NIS2 is a European directive and must now be transposed into local legislation. The Dutch government has 21 months, to convert this directive into Dutch legislation. So before March 2024, there will also be Dutch legislation.
So what does this mean?
As a result, many more organisations mandatory are to take information security measures. All healthcare institutions may thus be required to comply with NEN7510. But smaller ICT service providers (MSPs) that manage the network for larger organisations will also be obliged to demonstrably comply with ISO27001. But also think of the manufacturing industry, they are also required to comply with the ISO27001 standard. So work to do. So whether your organisation makes critical products will become more clear later. But some 'yo-yo common sense' can already help you draw your own conclusion whether you will belong to this category.
Call to Action
Our advice is not to wait until you are caught off guard by inspection, think IGJ or another inspector. Get to work now and take action. How, that depends on each organisation. What do you already have and what don't. To know where you stand, we can perform a baseline measurement (pre-audit) for you. DigiTrust does not give advice on HOW you should start complying. That is up to your organisation. We can, however, give you a clear and independent picture of where you are now with regard to complying with ISO27001 or NEN7510.
DigiTrust is the information security audit and certification specialist in the Netherlands. Contact us to start the conversation. What is your path to successful certification? Our specialists are ready for you.
