Many organisations may experience the growing body of regulation as an obstacle course they must struggle through to comply with all the new laws and regulations introduced in recent years. Earlier this year, for example, I wrote about DORA, which was welcomed with some fanfare. Another piece of legislation on the horizon is the Cybersecurity Act, the Dutch implementation of NIS2. If you would like to read more about this, you can find everything you need to know about NIS2 via this link.
Some may think: “It is not in force yet, so we can take it easy.” Unfortunately, that approach may lead to an unpleasant surprise. In this blog, I take a closer look at the duty of care that applies to organisations falling within the scope of NIS2. A small disclaimer: there will be quite a few references, and some prior knowledge of NIS2 will be helpful. For example, you may want to read this earlier blog on NIS2.
A brief recap of NIS2
The Network and Information Security Directive 2 entered into force on 16 January 2023, quite some time ago now. The intention was for national legislators to transpose NIS2 into national law by 17 October 2024. Unfortunately, this did not happen. For the time being, this means in practice that organisations falling under NIS2 do acquire certain rights, but do not yet have obligations. We do already have a reasonable idea of what to expect. The Cybersecurity Act and the accompanying Cybersecurity Decree (an order in council) have completed the consultation phase, and the comments received are hopefully being processed at the moment.
Duty of care under NIS2 for the digital sector
The substance of the duty of care can be found in Article 21(1) NIS2. The Dutch National Cyber Security Centre (NCSC) summarises it as taking measures to protect your network and information systems. These measures are then elaborated in Article 21(2) NIS2. Broadly speaking, they cover policies and measures relating to:
-
risk analysis and information system security;
-
Incident handling;
-
business continuity, such as backup management, emergency planning and crisis management;
-
supply chain security;
-
security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure;
-
the effectiveness of measures against cybersecurity risks;
-
basic cyber hygiene practices and training;
-
cryptography and encryption;
-
security aspects relating to personnel, access control and assets;>
-
multi-factor authentication or other authentication solutions.
The intention is for this to be further specified in national legislation and orders in council, so that all sectors covered by NIS2 have a clear indication of what they need to take into account. This does not apply to all sectors, however. For the digital sector, for example, we need to look elsewhere. I will return to this later.
Duty of care under the Cybersecurity Decree
In the Netherlands, this will primarily be addressed through the Cybersecurity Decree (Cbb), which has just completed the consultation phase but is not yet in force. Articles 6 to 18 of the Cbb set out the duty of care for all important and essential entities under NIS2. These can reasonably be grouped into ten concrete measures, and the NCSC has therefore identified ten measures that organisations can, or must, implement. This provides a solid package that many organisations can start working with.
An important principle in the Cbb is that entities must demonstrably apply the policies through which they give effect to the duty of care. Merely documenting the policy, which is also a requirement, is therefore not sufficient. The explanatory memorandum to the Cbb puts it as follows:
“the purpose of these provisions is for entities to formulate well-considered policies on the specified topics, to formally adopt those policies, to actually implement them, and to enable effective supervision of this process.”
In addition, further ministerial regulations may be issued on a sector-by-sector basis, allowing account to be taken of the specific nature of a sector, subsector or type of entity.
Duty of care and reporting obligations under the “NIS2U”
For the digital sector, we need to look at the implementing provisions on the cybersecurity of critical entities and networks. These have been laid down in the form of an implementing regulation, the NIS2U (phonetically pronounced by me as “NIS-to-you”, who knows, it may catch on). The NIS2U provides further detail, particularly for the digital sector, on the reporting obligation (Article 23(11) NIS2) and the duty of care (Article 21(5) NIS2) that apply to them. The duties of care under the NIS2U have already been established. Because the NIS2U, unlike the Cbb, has already been adopted, we can better map out what the duty of care and reporting obligations entail for the sectors falling within its scope. For example, it clearly defines what constitutes a ‘significant’ incident for all relevant sectors (Articles 3 and 4 NIS2U) and what qualifies as sector-specific significant incidents (Articles 5 to 14 NIS2U).
The duty of care itself is derived from Article 2 NIS2U and the Annex to the Implementing Regulation. The Annex sets out, in great detail, the risk management measures that must be taken to give effect to the duty of care, far too detailed to cover in a single blog. All ten of the NIS2 points mentioned above are addressed in any event. What is important to realise is that these measures can be applied on a risk-based and proportionate basis. There is no strict obligation to implement each measure in a specific way, and there is therefore some room to shape the duty of care differently. To emphasise this, the Annex indicates for some measures that they apply “where appropriate”, “if applicable” or “where feasible”. It remains crucial, however, to be able to demonstrate that measures are actually being implemented. “Apply or explain” is therefore a useful guiding principle.
Alignment with standards frameworks
The rules that organisations falling under NIS2 must comply with can be overwhelming: NIS2 itself, the Cybersecurity Act and Decree, implementing regulations, and potentially additional orders in council or ministerial regulations. Fortunately, the government is encouraging alignment with existing standards frameworks. In healthcare, for example, there will be strong alignment with NEN standards (NEN 7510), for government bodies with the BIO (with a new version, still to be developed, to be anchored in legislation), and although no explicit statements have been made, ISO 27001 certification will also provide a very solid basis for fulfilling the duty of care. The latest NEN 7510 standard already takes NIS2 into account, although auditors are not yet accredited to certify organisations against it. There are also a few minor errors in the NIS2–NEN 7510 mapping included as an annex to the standard.
In practice, NIS2 quality marks and certificates are also frequently encountered. These are a way of demonstrating compliance with NIS2 obligations, but they have no official status. Although these are positive initiatives and self-regulation is encouraged, such certificates do not mean that your organisation automatically complies with the law. The central government also does not make substantive statements about these forms of self-regulation and merely refers, without conferring any rights, to the tools it has published itself.
So how do you align with those standards frameworks?
Even with the tools already provided by the government, preparing your organisation properly for NIS2, the Cybersecurity Act and all related obligations can be a significant challenge. We can of course help with this. Whether it is conducting baseline assessments, gap analyses, updating your supplier management or providing audit support, we help you address the nuisance of NIS2 in time, without tripping up.
