Are you ready for NIS2?

13 Apr 2021

With the ever-increasing digitization of services and cyber security threats, the implementation of a common framework for the security of networks and information systems was sorely needed. The NIS-Directive of 2016 was an important first step towards the establishment of Union-wide cybersecurity standards. Through notification duties, containment plans, and regular audits for essential service providers and digital service providers, the EU elevated security levels of network information systems across the Member States. Two years after the deadline for transposition of the first Directive, in December 2020, the Commission launched a proposal for the NIS2-Directive, streamlining and expanding on NIS1. 

So be prepared and make sure your network information system is compliant with NIS1. In this newsletter, we go over the state of play after implementation of the first NIS-Directive in Belgium and The Netherlands, when and how to report an incident, and how to prepare for an external audit.

Implementation of the Directive

Belgium

One year after the deadline of the Directive, and under threat of a lawsuit by the Commission, the Belgian law of 7 April 2019 transposing the NIS-Directive finally went into effect. Two months later, the Royal Decree implementing the law of 7 April 2019 quickly followed suit.

The Netherlands

Six months faster than their southern neighbours, the Dutch government transposed the Directive with the law of 17 October 2018. Two weeks later, on 30 October 2018, a Royal Decree further implementing the law followed.

With these laws, the governments transposed the minimum standards of the Directive. Because of the transposition of the Directive, essential service providers and certain digital service providers are now under obligation to:

  • Take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems
  • Develop a robust and effective security policy (possibly based on international standards)
  • Immediately report incidents to the relevant authorities.
  • Take reactive measures after each incident.
  • Provide evidence to the relevant authorities of the effective implementation of security policies, mainly through internal and external audits.

Failure to meet these requirements can lead to penal and administrative sanctions. 

When to report an incident 

Belgium

Essential service providers

Under Belgian law, providers of an essential service must report an incident when it would have a significant disruptive effect on “the availability, confidentiality, integrity or authenticity of the network- and information systems which the essential service(s) depend(s) on.”

Digital service providers

On the other hand, with regards to digital service providers, the law merely states they have an obligation to report any incident that has a significant disruptive effect on the provision of their service, without going into any further detail. It adds that this obligation also applies to digital service providers who provide services to essential service providers, but only in case the incident can have an adverse effect on the essential service provider.

To determine whether there is a ‘significant disruptive effect’, one must at minimum consider the number of users affected, duration of the incident, and geographical spread of the area affected by the incident. 

The Netherlands

Essential service providers

Essential service providers must report any incident that has a significant disruptive effect on the provision of their service. To determine whether an incident has a significant disruptive effect, at minimum the factors to be considered are the number of users affected, duration of the incident, and geographical spread of the area affected by the incident.

Digital service providers

Digital service providers must also report all incidents having a significant disruptive effect. The same minimum factors must be taken into account when it comes to digital service providers. However, in addition, there are two extra factors: the extent of disruption of provision of the service and the extent to which the disruption has consequences for economic and societal activities. To put these factors into more tangible terms, the Dutch government has provided a handy check-list for digital service providers in their short guide on the new legislation.

How to report an incident 

Belgium 

Both providers must report the incident to the Center of Cybersecurity Belgium, the sectoral authority, and the Directorate General of the Crisis Centre of the Federal Public Service Internal Affairs. Moreover, once the report has been made, the service provider must take all reactive measures to resolve the incident and remains responsible for his approach.

The incident must be reported through the online unified notification platform. Providers must log in using their unique identification codes. Whereas essential service providers should receive this code by default, providers of digital services must request the Federal Public Service Economy to create an account for them of their own accord. Service providers must provide as much information on the incident as is requested by the platform to allow authorities to determine the nature, cause, effects, and consequences of the incident. If a service provider is unable to provide all of the requested information, they must supplement the report with the missing information as soon as possible.

In case the platform is unavailable, an incident report must be filed through the website of the Federal Cyber Emergency Team.

The Netherlands

Essential service providers

Dutch law states that selected essential service providers must report incidents having a significant disruptive effect on the provision of the essential service to the Minister of Justice and Security. The service provider must call the emergency number of the National Centre for Cyber Security (NCSC). Once the phone call has been made, the service provider has to send an encrypted e-mail to the centre at cert@ncsc.nl, mentioning their duty to report the incident. To make it easier to know what information to provide, the NCSC provides a template incident report on their website.

Digital service providers

Digital service providers must report disruptive incidents to the Computer Security Incident Response Team for Digital Service Providers (CSIRT-DSP) and the Radiocommunications Agency Netherlands. However, using the online template of the CSIRT-DSP gives you the option of notifying the Radiocommunications Agency at the same time. If you prefer to report the incident by e-mail, you can inform the CSIRT-DSP through csirt@csirtdsp.nl and the Radiocommunications Agency through wbni@agentschaptelecom.nl. A template for incident reports by e-mail can be found on the websites of the Radiocommunications Agency.

In case of urgent situations, you can reach the CSIRT-DSP by phone at +31 (0)70-3796222 and the Radiocommunications Agency at +31 (0)900-7700027.

How to prepare for an external audit

Under Belgian law, every three years, all providers to which the law is applicable need to invite a body for conformity assessment accredited by the national authority or the European Cooperation for Accreditation to perform an external audit. Moreover, these reports must be delivered to the sectoral authority. The providers carry the costs of the audit.

Whereas Belgian establishes a general duty for external audits, Dutch legislation states that authorities will designate providers of essential services subject to an obligation of external audit by Royal Decree. Unless otherwise decided in the Royal Decree, service providers carry the costs of the audit.

During an external audit, the auditors will verify whether the service provider has put in place  appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems and whether an effective action plan has been developed in case of an incident. Some of the elements to be reviewed are the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

In other words, to successfully pass an external audit, you must show that you have minimized the risk of incidents occurring while being prepared to handle the situation should an incident arise. To help put these requirements in more concrete terms, international standards such as the ISO/IEC 27001 can be of guidance.

Finally, these three steps may help you prepare for an external audit:

  • Make a check-list of every requirement you have to meet. 
  • Communicate the importance of these requirements to all employees and instill compliance by default.
  • Perform an internal audit and adapt your practices accordingly.

 

Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.