Amsterdam, 10 October 2023 - SoftwareOne, a leading global provider of software and cloud solutions, is helping organisations comply with the new 'Network and Information Security' directive, also known as NIS2. Organisations that are essential or vital to society must comply with the new directive, and this is proving to be no easy task. Moreover, there is quite a lot of information 'noise' and untruths being shared. SoftwareOne identifies five common misunderstandings, and describes how things really are.
1 - NIS2 is a task for IT
This is incorrect. NIS2 affects the entire organisation. The IT department is jointly responsible for implementing risk management and the associated technology. The board and management must watch over the continuity of the organisation and information systems. They are tasked with drafting, approving, monitoring and budgeting policies. It also affects, for example, the HR department, where not only security awareness training is arranged, but also the timely transmission of exit notifications so that system privileges are immediately revoked.
2 - With NIS2, the government knows everything about my organisation
No, it doesn't. From NIS2, the government has designated various expertise centres, such as CERT (Computer Emergency Response Team), among others, to share knowledge and provide advice. They also act as hotlines. Only when a NIS2 incident is identified does the reporting obligation apply. Then your organisation has to issue as complete a technically detailed report as possible. The aim is to properly assess the impact of the incident, risks to our society and economic traffic. So it is only about technical information.
3 - Implementing NIS2 costs a lot of time and money
It can, but doesn't have to. If your organisation already works according to an IT-related ISO or NEN standard, this gives you a big head start. Then the focus is mainly on the technical set-up and the NIS2 Notification Obligation. Many organisations already have a fine IT environment, but will need to allocate extra budget to increase their security level. Consider additional licences, redundant technology, implementation costs but also awareness training and simulation tests.
If the organisation does not have to comply with an IT-related ISO or NEN standard, it is still important to document the processes and technical set-up properly and evaluate them regularly.
4 - NIS2 leads to fines
Yes, if NIS2 is not fully set up by the end of October 2024, the organisation will be in breach. This could result in a fine ranging from a few per cent of annual turnover to many millions. If advice from the CERT is not followed, warnings follow and fines are increased. In addition to a fine, personal liability also applies if the officer responsible repeatedly fails to make improvements.
5 - NIS2 is not coming out now, we are waiting for NIS3
This is very unwise. With NIS2, European Member States have sent a clear signal that cyber risks cannot be underestimated and cause greater damage. It is expected that a further NIS2 enhancement will be implemented within a few years. This will then possibly be called NIS3. The Netherlands, as an independent member state within the EU, can implement more emphasis or urgency on specific parts, as the Netherlands did with the AVG. To avoid any possible backlog, the advice is to start SoftwareOne working seriously on NIS2.