What is the NIS2 directive?
NIS2 stands for Network and Information Security Directive 2 — the successor to the original NIS directive from 2016. The European Union issued this directive to strengthen the cybersecurity of organisations in critical and important sectors.
In Belgium, NIS2 has been transposed into national legislation. This means Belgian organisations that fall within the scope have concrete obligations regarding risk management, incident reporting and securing their systems.
Who falls under NIS2?
NIS2 significantly expands the scope compared to NIS1. The directive distinguishes two categories:
- Essential entities: energy, transport, water, finance, healthcare, digital infrastructure
- Important entities: postal services, waste management, chemicals, food, manufacturing, digital providers
For SMEs, the threshold is organisations with more than 50 employees or annual turnover exceeding €10 million in the relevant sectors. But smaller organisations in the supply chain of affected companies may also have indirect obligations.
What obligations arise from NIS2?
Affected organisations must, among other things:
- Conduct and document a risk analysis
- Implement appropriate technical and organisational security measures
- Have an Incident Response Plan
- Report significant incidents within 24 hours (initial notification) and 72 hours (detailed report)
- Manage supply chain security
- Ensure personnel security and access control
What are the sanctions?
NIS2 provides for significant fines. Essential entities risk up to €10 million or 2% of global annual turnover. Important entities risk up to €7 million or 1.4% of turnover.
What first steps can you take today?
- Check whether your sector and size place you under NIS2
- Conduct a baseline assessment: where do we stand today?
- Create a priority list of measures
- Develop a basic information security policy
- Consider external support via CISO as a Service
NetGuard guides SMEs from baseline assessment to compliance. Get in touch for a no-obligation conversation.
Related articles
What is External Attack Surface Management and why does your SME need it?
Attackers continuously scan the internet for vulnerable systems. EASM helps you know what they see — before they strike.
5 reasons why a pentest is more than a technical exercise
Many companies see a penetration test as an IT project. But the real value lies in the insights for management. Here are 5 reasons why.