
Originally published on February 23rd 2024 on BlogIT
Even though it recently became clear that the Dutch government isn’t going to make the deadline of October, the official NIS2 legislation is still on its way. Since January 2023, the central government has been working on transposing the CER and NIS2 directives into national legislation. The draft legislation was originally scheduled to be ready in the first quarter of 2024, after which sectors, organizations and individuals will have the chance to respond to the draft.
There is still a lot left to be done for these regulations and they may not be finalized for a while. Regardless, we are very curious to see how the legislation will turn out.
NIS2 isn’t the first directive to be translated into legislation, nor will it be the last. When we look at what we can learn from previous legislation, these are the lessons we think the Dutch government should take to heart.
1. Don’t reinvent the wheel
NIS2 is the successor of the NIS2 legislation and interfaces with existing laws and regulations such as BIO2.0, ISO27001 and CIS. Many organizations already have to comply with these existing frameworks and legislations. By aligning the legislation for NIS2 with these existing ones, you relieve pressure on organizations and make it just a little bit easier for them to comply with the various requirements. The government has already made some promising progress here, for example by mapping the NIS2 regulations to the BIO2.0 and ISO 27002.
This advice goes beyond just existing regulations as well. Consider identifying existing standards and forms that have already been put together by private parties, such as the CYRA partnership, for example. Clarity about which of these standards will be recognized and supported will promote compliance.
2. Ensure adequate capacity at contact points
The introduction of the GDPR legislation is still fresh in people’s minds. Although this legislation provides a strong legal framework, we’ve found that supervision and enforcement leave much to be desired. This is recognized by the regulatory body of the GDRP itself, the Personal Data Authority (AP), which has indicated for some time they are dealing with capacity problems.
For NIS2, you want to avoid a similar situation. Ensuring sufficient capacity at contact points is key and appointing different regulatory bodies per sector can help in this. We also highly encourage promoting cooperation and communication between these different regulatory bodies.
3. Focus information to specifically directors and administrators
It is important to gain organization-wide support and acceptance for the NIS2 legislation, not just from CISOs and other departments that have direct involvement with information management. Directors and administrators above all must understand the importance of this legislation, not in the least because they are the ones who can be held personally responsible and liable if things go wrong.
By creating clarity about which companies will or will not be affected and to what extent, we enable better communication within an organization regarding these types of regulations and legislations.
Don’t wait until March
Though the actual legislation has been postponed, this is no excuse to wait passively until there is more clarity. A proactive approach is important to better protect yourself against current risks. Organizations are identified as essential or important under NIS2 for a reason.
At the end of the day, NIS2 is primarily about preventing cyber incidents and mitigating the potential consequences. Even without the specific legislation set in stone, you should already be focusing on cyber incident prevention.
The additional advice to organizations is therefore to not forget the importance of investing in a cybersecurity strategy focused on prevention, like the Zero Trust strategy. By implementing Zero Trust principles, you not only strengthen the overall resilience of your organization, but also lay a solid foundation for effective with NIS2 and similar regulations.