NIS2 Compliance: the road ahead after the October 18 2024 deadline

The Network and Information Security Directive 2 (NIS2) and the corresponding Belgium Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security is set to reshape the cybersecurity landscape for companies across Belgium, the European Union and any company wanting to do business here. With the compliance deadline looming on October 18, 2024, many companies are still grappling with understanding the(ir) scope, the respective requirements and taking the necessary steps to meet them. This article outlines the key aspects of NIS2, what you and your organization need to do, and how they can maximize their compliance efforts in the short term.

What is NIS2 and why is it critical for Belgian companies?

The NIS2 Directive is aimed at improving the response of organizations to cyberattacks, strengthening the cooperation and exchange of information. Its scope of application is thus broader and includes a wide range of industries, not just those businesses operating in sectors of “high criticality,” such as energy, transport, finance, healthcare, but also those in other sectors such as digital providers, postal services, waste management and other essential services for our society. The Directive introduces crucial measures for the management of cybersecurity-related risks and reporting obligations of significant incidents.

Key cybersecurity requirements under NIS2

To achieve compliance, you will need to address several critical requirements:

1. Risk Management: Implement robust measures to manage cybersecurity risks, including incident response plans, vulnerability management, and regular risk assessments.
2. Incident Reporting: Report significant incidents to the Center for Cyber Security (CCB) within 24 hours of detection, with a follow-up detailed report within 72 hours. It is important here to already register your organization if you need to comply to NIS2.
3. Supply Chain Security: Ensure the security of the entire supply chain, including third-party service providers and partners.
4. Governance and Accountability: Establish clear governance structures, designate responsible individuals for cybersecurity, and provide regular training for staff. Additionally, boards and management need to be trained on cybersecurity to assume their responsibilities and liabilities as required by the NIS2 legislation. For making management decisions on cyber security strategies and measures at board level, basic knowledge of risk management and cyber security are indispensable.
5. Cooperation and Information Sharing: Participate in information-sharing networks and collaborate with national authorities on cybersecurity matters.

The NIS2 Directive additionally contains the following recommendations with reference to the measures to manage cybersecurity risks:

5 Steps how to enhance your cybersecurity posture for NIS2 compliance

Achieving NIS2 compliance can seem challenging, but focusing on key areas will help your company meet cybersecurity regulations while boosting overall resilience. Prioritizing investments ensures compliance without overextending your budget.

Assess your current cybersecurity posture

To understand where your organization stands today and adequately plan for the next steps, it will be important to initially identify the most critical vulnerabilities and areas where existing measures fall short.

• Know your organization and understand all processes, services, and critical assets as a first step for an effective management of cybersecurity. Having a clear view of your ‘crown jewels’ will allow for pin-pointed measures and actions that focus on those area’s that would impact you the most in case of an incident or breach.
• Perform a gap analysis: Conduct an evaluation of your NIS2 gaps to identify areas for improvement and risks. A gap analysis is crucial for understanding the current state of the company's cybersecurity posture relative to NIS2 requirements. This process will identify areas where existing policies and practices fall short and where improvements are needed. Compare those gaps identified with the main recommendations and best practices, focusing on the most critical areas.
• Have a strategic (investment) plan: Focus on investments which bring an actual value added to the requirements laid down in the law, thus guaranteeing a comprehensive management of cyber risks.

Enhance incident response capabilities

The famous saying ‘it’s not if, but when’ also applies to cyber security and potential incidents or breaches. As an organization, you must be prepared to detect, report, and respond to cybersecurity incidents rapidly. This means:

• Setting up a dedicated incident response team (if not already in place).
• Implementing monitoring of critical systems.
• Conducting simulations and drills to ensure teams are prepared for real incidents.
• Reviewing incident reporting procedures to meet the 24-hour reporting requirement.

Update policies and governance

Paperwork has never stopped an actual incident, but it is crucial to have the ground rules and baselines defined within your organization. You should have a framework and policy-set in place that aligns with NIS2's requirements. Ensure that you can initially establish a minimum governance structure and ensure accountability for cybersecurity. This involves:

• Assigning clear responsibility for cybersecurity at the executive level.
• Designate a point person responsible for cybersecurity, even if it is an existing staff member.
• Develop or update basic security policies for key areas like password management, access control, and incident response
• Regularly training staff on cybersecurity best practices.
• Establishing an internal audit or control function to review cybersecurity practices.

Strengthen supply chain security

NIS2 places a strong emphasis on securing the supply chain, hance as an organization it is important to address those supply chain security requirements. You should:

• Understand your own position in the larger supply chain and your requirements to external stakeholders upstream.
• Identify key third-party service providers and request evidence of their cybersecurity measures (e.g., certifications, audit reports) to assess their security posture. Focus on your high-risk suppliers first. Use a basic checklist to assess third-party risks and prioritize suppliers based on the sensitivity of the data or services they provide to you.
• Include cybersecurity requirements in supplier contracts and ensure that you can oblige to requirements put on you by partners or clients.
• Develop a process for monitoring third-party risk continuously as non-compliance to contracts will have a more direct impact on business operations than any NIS2-related deficiencies towards the CCB.

Leverage available resources and guidance

Belgium's Center of Cybersecurity (CCB) and the European Union Agency for Cybersecurity (ENISA) provide guidelines, frameworks, and resources such as provide through the ‘CyberFundamentals’ to help companies comply with NIS2. Do not try to re-invent the wheel or use complex models. Take advantage of these materials to accelerate your compliance efforts.

Long-Term Focus: building a sustainable cybersecurity program

With the NIS2 compliance deadline fast approaching, companies must act quickly. Key actions include conducting a gap analysis, enhancing incident response capabilities, securing your supply chain, and updating governance structures.  By prioritizing these actions, your organization can significantly improve its cybersecurity posture and avoid the consequences of non-compliance.

By focusing on essential actions in the short term, your organization can make meaningful progress. A phased, long-term approach to building a mature cybersecurity program will ensure sustained compliance and improve resilience

The role of technology in NIS2 compliance

Affordable tools like open-source software, cloud-based monitoring, and basic risk management platforms can automate tasks like vulnerability scanning and incident detection, reducing manual effort and lowering compliance costs. However, these solutions must be supported by strong policies, processes, and a well-trained team. 

No silver bullets for compliance

Do understand that there is no ‘silver bullet’ or miracle solution that will make your organization compliant overnight. NIS2 is about an attitude that assumes an organization is doing what it should and can do, both to prevent incidents and to handle them correctly if one does occur. This technology solution must be complemented by strong policies, processes, and trained personnel, and consider the bigger picture of your environment.

How Grant Thornton can help with your compliance and cyber maturity

Implementing the full scope of NIS2 can be overwhelming. At Grant Thornton, we provide tailored services to guide organizations of all sizes through compliance.

With our deep EU network and first-hand experience, we help businesses avoid pitfalls and ensure compliance with requirements like incident reporting and third-party risk management.

We offer flexible solutions to meet your specific needs, helping you achieve and maintain compliance, now and beyond any deadline.