This NIS2 Directive: what is that? Is that something for me?
I receive a lot of questions from customers and prospects about the NIS2 Directive. That’s why I decided to write this article to summarise some of the information which I think is most valuable to our customers and prospects. As Spinae is a Belgian company, the information I provide here, is tailored towards Belgium.
3 things before I start:
1) I will sometimes intentionally leave some details out to keep it understandable. If all details would be in this article, no-one would read it 😉
2) As the NIS2 Directive is a legal matter – and I am still not a lawyer – please use the below information as it is intended: informational. It is by no means legal advice
3) Relevant references and links can be found at the bottom of this article
In short: what is the NIS2 Directive?
I’ll try to summarize it in just 2 sentences: it is a set of rules by the European Union which obligates EU member states to create local legislation about Information Security. The EU does this because they acknowledge that information is a key economic advantage for Europe and for our societies to run, it must be properly protected.
Regulation vs Directive
Everybody knows the term GDPR. It is also something from the European Union, also some sort of law. It stands for General Data Protection Regulation.
And this last word, Regulation, is important here. Because it is a regulation, it is applicable in every member state on the same date and unchanged. There is one document, one version across the whole EU.
Here we are talking about the NIS2 Directive. A directive is a document created by the European Union, but it has to be translated into local law of every member state. It dictates what has to be put in those local laws. But at the same time it leaves the member states some freedom to incorporate it in other initiatives, or to be more strict than what the EU dictates, …
How about Belgium? 🇧🇪
In Belgium, the Center for Cyber Security Belgium (CCB) has been tasked to translate the EU NIS2 Directive into local Belgian law (the so-called ‘transposition’). The have looked at different existing cyber security frameworks (those are all frameworks Spinae is very familiar with 😉 ):
- NIST Cyber Security Framework (CSF)
- ISO/IEC 27001
- IEC 62443
- Center for Internet Security Controls (CIS)
CCB decided to create the Cyberfundamentals Framework, based on the above mentioned existing frameworks.
NIS2 defines 2 levels:
- Sectors of High Criticality (Annex I)
- Other Critical Sectors (Annex II)
Ok, sure thing, but it's still not clear what it is...
Indeed, sorry… so it is a legal document, coming from the European Union, dictating that all EU member states must create local legislation which contains at least what is mentioned in this NIS2 Directive. It will be translated into local Belgian law, at the latest by October 17th, 2024. The Center for Cybersecurity Belgium (CCB) is tasked with that.
If your company falls within the Sectors of High Criticality (Annex I) or Other Critical Sectors (Annex II) ànd also fall within the EU definition of a medium-sized company or larger, you will have to comply with what the Belgian law says and which is captured in the CCB Cyberfundamentals Framework.
Does your company fall within Sectors of High Criticality, and are you a medium-sized company or larger? You should implement the controls from the ‘Essential‘ assurance level of the Cyberfundamentals Framework.
If you are active in Other Critical Sectors, and you are a medium-sized company or larger, you should implement the controls from the ‘Important‘ assurance level.
What are those sectors?
For all details, you should take a look at the NIS2 Directive itself, all the way at the bottom there is ANNEX I – describing the Sectors of High Criticality – and ANNEX 2 – describing Other Critical Sectors. In short (and a bit simplified), it boils down to:
Sectors of High Criticality
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (business-to-business)
- Public administration
- Space
Other Critical Sectors
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
The sectors marked in green are sectors where existing customers of Spinae are active in, so where we have experience within that sector. If you are part of another of these sectors: no worries – we are quick learners and eager to get to know new things ☝️!
And now? What's next? 🤨
Below are some high-level steps which you can take:
- Find out if your company falls within the scope of the NIS2 Directive
- Look up your specific sector. Is it part of Annex I or Annex II?
- Evaluate the size of your company
- Download the Cyberfundamentals Framework which suits your sector
- Evaluate for every control how well your company is doing: gap-analysis
- Evaluate your gap-analysis document and create a roadmap
- Implement that roadmap step-by-step. Make sure to involve all relevant stakeholders
- Ask for specialist assistance if and where needed 😉
References
- The actual NIS2 Directive
- The website of the Center for Cyber Security Belgium (CCB) about Cyberfundamentals Framework
- The EU definition of a medium-sized company: Commission Recommendation 2003/361/EC – Article 2 – Annex – p.4
- NACE Rev. 2 – Statistical classification of economic activities in the European Community – to find the actual sectors falling in scope
An example, relevant to some of Spinae’s OT-security customers: NIS2 Directive, p. 69, Annex II (Other Critical Sectors), 5. Manufacturing, (c) Manufacture of electrical equipment, Undertakings carrying out any of the economic activities referred to in section C division 27 of NACE Rev. 2
Refers to section C (which is Manufacturing) division 27 (which is manufacture or electrical equipment) of NACE Rev. 2. On p. 70 of that document we find:
Spinae security specialists are here to help
With our substantiate experience with ISO/IEC 27001, IEC 62443, NIST CSF and CIS Controls, and the fact that we are brand-independant, Spinae is a very good fit to help you and your company with NIS2.
Contact us to get our expert view on the matter and get you on the way!
About the author
Stijn Boussemaere, co-founder of Spinae, is a Certified ISO/IEC 27001 Senior Lead Implementer and Certified IEC 62443 Industrial Security Foundations Specialist. He is a guest professor at the University College Howest where he’s been active in courses such as Security, Linux, Cloud Services, Data Science, … He loves translating complex concepts into understandable language to help others.