Dutch companies run the risk of losing international clients through NIS2 regulations, the Dutch digital security platform Samen Digitaal Veilig warned earlier this year. Companies such as Germany and Belgium are on track of meeting the NIS2 deadline of October 17 this year. The Dutch government, however, is lagging behind in implementing the NIS2 regulation into national legislation. This leads to Dutch companies running the risk of losing foreign customers: without legal compliance, these customers might not be allowed to enter into contracts.
Across the European Union, legal systems differ to a great extent, which explains the differences in speed in implementation. This is nothing new, but can lead to temporary issues like the one mentioned above.
What’s the current state of NIS2 implementation in the EU, and how are countries such as Germany, Denmark, Latvia, Lithuania and Belgium implementing the cybersecurity measures into national legislation? In this article, we explore the developments and differences.
What’s NIS2?
The second version of the Network and Information Systems Directive, better known as the NIS2 directive, is a regulatory directive designed to improve the cybersecurity posture across the European Union. The main goal of NIS2 is to improve resilience against cybersecurity threats within the EU.
NIS2 follows the EU Cybersecurity Act introduced in 2016, but expands on the rules by increasing its scope to include a wider range of sectors and entities, increasing its requirements, implementing supervision, focusing on supply chain security, and mandating incident reporting.
For example, organizations under NIS2 must now submit a report or early warning to their national authority within 24 hours of becoming aware of a significant incident. They must also file an incident notification within 72 hours and submit a final report within one month. This is different from the first NIS regulation, which only specified filing a report ‘without undue delay’.
NIS2 in the Netherlands
The legislation might not be ready yet, but that doesn’t mean companies have to sit and wait: the NIS2 regulation already provides enough information for essential and important entities to get started with preparations. The Dutch government has already published resources to help companies prepare. One of these is the NIS2 Quickscan, which contains forty questions that together determine the state of cybersecurity at your organization. Not sure if your organization falls under the NIS2 regulation? The government has published a NIS2 Self evaluation to check if NIS2 applies to you, whether your organization is seen as essential or important, and whether your organization falls under Dutch supervision.
NIS2 in the European Union
What’s the status of NIS2 in our neighboring countries? We speak to NIS2 experts in the Baltics and look at the state of things across the EU.
Latvia
“Generally, organizations are not too worried about NIS2 yet,” Gatis Kauss from Hermitage Solutions in Latvia says. “They have passed ISO 27001, and do not expect too many changes in NIS2.”
On June 20, the Latvian government accepted the national NIS2 law, the National Cyber Security Act. The Act introduces a number of significant changes from the current Latvian Information Technology Act. From September 1 of this year, a National Cyber Security Center will be established, which will act as a single point of contact for cyber security issues and supervise the implementation of national cyber security requirements, as well as develop national cyber security policy initiatives.
The functions of the National Cyber Security Center will be implemented by the Ministry of Defense in cooperation with the Cyber Incident Prevention Institution CERT.LV. The CERT.LV will be responsible for responding to cyber security incidents, monitoring the cyberspace situation and analyzing threats, ensuring the operation of the sensor network, DNS firewall and security operation centers, as well as educating the public on cyber security issues.
“We’re now going through a transformation period up until April next year,” Gatis Kaus adds. “What we see now is a period of relative quiet, due to the summer holidays. But I expect things to start happening after the summer holiday.”
The law will enter into force on September 1, 2024. In the coming months, the Latvian Ministry of Defense will organize seminars in order to inform those sectors to which the National Cyber Security Law applies about the requirements of the law.
“It’s now up to companies to start registering, assessing where they fall under NIS2 and what they must prepare, thinking about how this affects their budget, and getting ready for full NIS2 compliance,” Gatis Kauss adds.
Lithuania
Last month, the Lithuanian government has published a draft proposal, in which it appointed the National Cyber Security Centre under the Ministry of National Defence (NCSC) as the main Lithuanian cyber security institution. The Centre will be responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements, and accreditation of information resources. Lithuania is on track to meet the October 17 deadline.
“This is a good start, but the work is only starting now,” Paulius Ceponis, Managing Director at Hermitage Solutions Baltics says. “We can now have a look at the sub-laws, which will be the most important: the sub-laws will actually define what’s required from organizations that fall under NIS2.”
Hermitage Solutions is actively involved in the discussions on the Lithuanian adoption of NIS2. “There is a lot of debate ongoing at the moment,” Paulius Ceponis says. Distinguishing between two parts, the organizational and the technological requirements, Paulius worries about the implementation of the latter. “We can see that some of the ideas are outdated already: think about passwords and the lengths of passwords. We aim to contribute to this discussion by adding input on the latest recommendations from ENISA for example on these issues.”
A lot remains unclear, Paulius notes. “Initially, we assumed 22,000 Lithuanian companies would fall under NIS2. After reviewing the database, the Centre found it went down to 3,500 to 4,000, which is a large decrease. However, there are also a lot of small companies in Lithuania that do not meet the revenue or number of employees but work in critical sectors such as the energy sector. They will fall under NIS2 as well.”
“It will take time for companies to adapt. However, the goal of the Lithuanian Cyber Security Centre is not to play police. Their goal is to make the overall situation better, and will be patient in that regard. They will warn, then check again. If it’s not fixed yet, they will warn again. After a third warning, they will start to take action.”
Paulius does not expect the transition to be fast-paced. “There was a lot of hype in the beginning of NIS2, but some doubts on the adaptation followed. A lot of companies are reluctant to make changes before the actual laws and sub-laws come into force. Although companies are preparing, I don’t expect them to make actual budget decisions this year, because too much remains unclear. I would give it about two years from the official start until we start to see proactive changes.”
“Right now, the suggestion is to follow ISO 27001, as this will give an indication of how well you will be prepared for NIS2,” Paulius says.
Belgium
The Belgian government has made the decision to expand the list of entities and organizations to include additional sectors and sub-sectors that fall under the NIS2 regime – a possibility within the regulation. Entities and organizations will be obligated to self-register at the Belgian Centre for Cybersecurity (CCB), the national authority for cybersecurity, within a certain period of the national law coming into force.
Similar to the Netherlands, Belgium has created a platform on which organizations can find whether they fall under the scope, how to register, and which measures they should take with the CyberFundamental tools. For NIS1, the CCB and CERT.be (the Cyber Emergency Response Team, the operational service of the CCB) established an incident reporting platform, which will be used for NIS2 as well.
Contrary to the Netherlands, Belgium aims to reach the deadline of October 17.
Denmark
In February this year, the government announced that the Danish implementation of the NIS and CER Directive will be delayed until the end of this year or the start of the new year. However, the government noted, the delay might mean that companies may have to face a shorter period of implementation of the national rules – so companies should be laying the groundwork for NIS2 as soon as possible.
According to research conducted by the IRIS Group for Industriens Fond on Danish organizations affected by the NIS2 Directive, one in five companies still have doubts about whether they fall into the scope. One in four companies have a plan in place to achieve NIS2 compliance, but only 29.2 percent of companies that their cybersecurity risk-management measures are currently compliant with the requirements set by Article 21(2) of the Directive. Requirements companies are struggling with the most are supply chain security and policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
Until the national legislation is completed, it is still unclear which Danish business and public entities will fall under the NIS2, as the definition of the type of entities in the specific sectors can be interpreted in different ways, and Member States have the freedom to make decisions on whether or not to include certain public entities.
The Danish Centre for Cybersecurity (CFCS) has set up Computer Incident Response Teams (CSIRT), with the purpose of reporting on significant incidents under NIS1. Going forward, entities that fall under NIS2 must also report the competent authority or the CSIRT about significant incidents and cyber threats as quickly as possible, and within 24 hours.
Germany
In Germany, NIS2 will be transposed into national law by the NIS2UmsuCG, the NIS2 implementation law. This is an amendment that changes the existing German CIP (Critical Infrastructure Protection) laws. The draft law passed the consultation in May and now awaits the federal legislative process, which is expected to take place in October.
In addition to NIS2, there will be another law, KRITIS-DachG, for identifying Critical Infrastructures. This law serves to implement the CER Directive, which aims to strengthen the physical security of critical entities.
There’s a couple of national differences to be noted in Germany. Companies that fall under NIS2 in Germany are split into three groups: critical infrastructure operators (KRITIS operators), essential entities, and important entities. The existing German method for identifying Critical Infrastructures, KRITIS, will remain in NIS2 and existing KRITIS sectors will remain as a separate set for critical operators. Existing German KRITIS operators with critical facilities and thresholds will carry over to NIS2 as third entity type operators of critical facilities. Additionally, NIS2’s essential and important entities will be called specially important and important entities.
Take action now
While Germany and Belgium aim to reach the October deadline, the Netherlands and Denmark are running behind. However, all countries have made clear that it is important to take initial actions, rather than to wait for national legislation to be finalized. The NIS2 Directive will impact a lot of new organizations, and all of them will have a short time to get through a long list of new requirements.
How the DataDiode can help
The NIS2 framework focuses on high-level security measures, and highlights dividing networks into segments as a key method for reaching safety goals. Dividing a network by adding a DataDiode to ensure a unidirectional data flow is a smart move to improve cybersecurity in essential areas. For example, in scenarios where IT and OT environments need to be kept separate to ensure the integrity and safety of operational systems, the DataDiode is an effective solution. This way, critical operational data can safely move to IT systems, without the risk of malware or attacks infiltrating back into the OT system.
For systems that must remain air-gapped for security reasons, such as those used in critical infrastructure or secure government networks, DataDiodes can enable the secure update of software or databases. By allowing data to enter the secure environment without the possibility of data exfiltration, systems can be kept up-to-date and secure against vulnerabilities.
Want to learn more about NIS2 and the consequences for segmented networks? Join us for an insightful session with Bart Groothuis on the new NIS2 Directive and the crucial role of segmentation on November 7th. Register here.