Is your company ready for the new cybersecurity law?
Time is ticking. The original deadline for NIS2 legislation was October 17, 2024, but it has been extended. While some might consider this a stroke of "luck," there’s no time to waste. The law is expected to take effect by mid-2025, and though that seems far off, trust us—time flies. If you don’t start preparing now, you could face unpleasant surprises: sanctions, fines, or worst-case scenario—a cyberattack that grinds your business to a halt. So, the big question is: Are you ready for the new cybersecurity law?
In this blog, we’re not just breaking down what NIS2 is (don’t worry, it’s more than a dull rulebook); we’ll show you how to start preparing your organization now. Because let’s face it, everyone’s been talking
NIS2: What was it again?
Should I care?
What are the rules?
What steps do I need to take?
Why act now?
What is NIS2?
NIS2 might sound like a new video game, but it’s far from it. This European directive is designed to wake companies up when it comes to cybersecurity. We’re talking about organizations where outages could have catastrophic consequences for society. Think energy companies, hospitals, or even the water supply. Imagine if one of these services went down due to a cyberattack—chaos! NIS2 is here to make sure these critical sectors understand the risks and step up their cybersecurity. But does it affect you?
Is your organization affected by NIS2?
If your company operates in any of the following sectors, you almost certainly fall under the NIS2 directive and the Dutch Cybersecurity Act (CBW):
Highly critical sectors:
|
Transport ​ |
|
Healthcare ​ |
|
Drinking Water ​ |
|
ICT Providers ​ |
|
Digital Infrastructure ​ |
|
Government services ​ |
Critical sectors:
|
Postal and courier services ​ |
|
Food supply ​ |
|
Chemical substances ​ |
|
Research and manufacturing Industries ​ |
Check here if your organization must comply with NIS2.
If your organization falls under NIS2, it’s crucial to know that failing to meet the requirements could result in hefty penalties.
What does this mean for your business?
The new law comes with serious obligations. Here are the four main pillars of NIS2 that you need to prepare for:
1 |
Registration requirement:
Organizations must register with a central entity registry managed by the National Cyber Security Centre (NCSC).
|
2 |
Duty of care:
Companies are required to conduct a risk assessment and implement appropriate measures to secure their systems. Even your board members and executives need training in cybersecurity management.
|
3 |
Reporting obligation:
Significant cyber incidents must be reported to the Computer Security Incident Response Team (CSIRT) within 24 hours. A full report must follow within 72 hours, and a final report after one month. By “significant,” we don’t mean a minor glitch—this is about serious disruptions that harm your services, your business, or others. Think: service outages, stolen customer data, or system hacks.
|
4 |
Supervision and enforcement:
Organizations will be monitored to ensure they meet the duty of care and reporting requirements. Non-compliance could lead to sanctions, including fines or even personal liability for directors.
|
What do you need to comply with NIS2?
Many companies don’t realize that the NIS2 is much more than just installing a good firewall or antivirus software. It’s about everything: from employee awareness to involving your leadership team. If you skip these critical steps, you’re leaving yourself exposed. And in the world of cybersecurity, vulnerability means trouble.
To be compliant, your company must meet ten specific measures to ensure the safety of your network and information systems:
|
Measure 1: Conduct a risk analysis and secure information systems. ​ |
|
Measure 2: Implement security protocols for personnel, access control, and asset management. ​ |
|
Measure 3: Ensure business continuity with backup management and contingency planning. ​ |
|
Measure 4: Set up incident response procedures. ​ |
|
Measure 5: Establish basic cyber hygiene and cybersecurity training. ​ |
|
Measure 6: Secure network systems during processing, development, and maintenance, including vulnerability management. ​ |
|
Measure 7: Protect the supply chain. ​ |
|
Measure 8: Develop policies on cryptography and encryption. ​ |
|
Measure 9: Use multi-factor authentication, secure communication systems, and emergency communication plans. ​ |
|
Measure 10: Regularly assess the effectiveness of your cybersecurity risk management controls. ​ |
How to prepare?
Now that you know what NIS2 requires, the next question is: how will you tackle this? Here are a few essential steps to get your company ready for NIS2 compliance:
|
Conduct a risk analysis: You need to know where your weaknesses are before you can fix them. ​ |
|
Get your security in order: This is not just about technology but also about policies and people. ​ |
|
Set up incident management: Be prepared for cyberattacks and make sure you know what to do when one hits. Have a backup plan. ​ |
|
Regular audits: Test, test, and test again to ensure your measures actually work. ​ |
|
Communication plan: Who do you call when things go wrong? Make sure everyone knows what to do in case of an incident. ​ |
And the most important step: start now. Waiting until 2025 is just asking for trouble. Taking action now means you can rest easy later, knowing you’re ready for whatever comes your way.
Why act now?
Waiting until 2025 to comply with NIS2 is like waiting until it starts raining to buy an umbrella. Not smart, and it’s definitely going to leave you soaked. But here’s the good news: taking action now gives you a serious advantage over your competition.
Companies that take steps now will reap the rewards later. Why? Because NIS2 isn’t just about compliance, it’s about trust. Customers, partners, and suppliers want to do business with an organization that takes cybersecurity seriously. Plus, it’s a requirement for supply chain responsibility.
Let’s be honest: cyberattacks aren’t a distant threat, they’re happening now. Even if NIS2 wasn’t on the horizon, it’s still critical to get your systems in order. By acting now, you’re killing two birds with one stone. Not only will you be fully compliant when the law takes effect, but you’ll also be better protected against the cyber threats already out there.
Ready to get ahead?
We’re here to help. Whether you need risk assessments, incident management, or team training in cybersecurity, we have the expertise to make your organization both compliant and cyber-secure. Together, we’ll ensure that you don’t just meet the legal requirements but are also safeguarded against the real-world cyber threats lurking today.
Let’s begin!