NIS2: a matter for lawyers, IT professionals — or both?
NIS2 is all about the security of our data and the resilience of our essential and important sectors. Sebastiaan ter Wee on cybersecurity compliance, the role of the Chief Information Security Officer and the need to build bridges. And, of course, about the importance of information security — for any party.
Sebastiaan ter Wee became an attorney-at-law in Brussels in 2009 and later in The Hague. In 2015, he became a corporate lawyer at Aegon, and in 2023, he left the company as Group Chief Privacy Officer and Head of Legal Digital. Since then, he has been a Partner in Digital Regulations at Deloitte. Sebastiaan lives with his wife and two daughters in Rotterdam.
Opens in new window
To start with: is NIS2 more of a topic for lawyers or for the IT department?
"To answer that question, we first need to look at an important difference between the European and American approach. I'm talking specifically about privacy versus security. In Europe, with the introduction of the General Data Protection Regulation (GDPR) several years ago now, we have contributed to shaping the fundamental human right to the protection of privacy. Initially, this mainly resulted in paper-based controls: documentation of policies and processes. Less attention was paid to technical safeguards. In those first years since 2016, it was mainly lawyers who started working with the GDPR. The data protection officer was often defined as a compliance function rather than a more technical one. But... As a result, there was often insufficient attention to information security, to data and its quality — while the GDPR is, in fact, legislation that deals with the use of data and more specifically personal data."
And in the U.S., they took a different approach?
"Correct. There, they focused less on privacy and much more on data protection. Attention was paid to unauthorized access and misuse of information. Companies were required to implement safeguards for data security and to invest heavily in technology. This created an entire sector dedicated to this, and the position of CISO automatically became a very difficult one. Over time, this also resulted in executives within the information security domain who came from a technical background: they matured quickly and with great responsibilities. But not necessarily executives who could also effectively communicate with the Board, Supervisory Board and Authorities."
How did this difference play out in Europe?
"Around 2021, we roughly found that the European approach led to two types of gaps. First, in practice, we lacked sufficient control over data and data management to be able to properly implement the GDPR and related legislation. And second, there was a disconnect between cybersecurity and the legal department — they spoke too little with each other. They thought they had little in common, while in fact, they should have been working closely together. Because: there is no privacy without information security and no proper information security without good management and clear data. As this insight grew, information security for the purpose of GDPR compliance gained increasing importance."
"No privacy
without information security."
Did this also have to do with the introduction of NIS2?
"It was already apparent, that NIS1 was actually too soft, too limited in scope. With NIS2, the scope has been broadened, third-party risk management and individual liability for directors are now also ingrained in the law. And the latter in particular raises questions, if only out of self-interest of the directors: Do I have the right people and the right organisation in place to deal with NIS2? Is our CISO strong enough? As previously mentioned, many CISOs have ended up in heavy managerial positions coming from a technology background. That is fine, but the position also requires serious managerial competencies: you have to be able to manage teams, conduct internal politics, and engage with regulators such as in the Netherlands, the State Inspectorate of Digital Infrastructure (RDI) or, in the case of financial institutions, the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM). This therefore requires a broad profile, covering, politics, technology and governance. So directors' and officers' liability has contributed to directors taking a much more critical look at not only the qualities of the CISO, but also the cyber risk to the company and its risk management."
How does the role of the CISO fit best into the organisation?
"My professional preference: a CISO with an understanding of technology. In many organisations, the CISO is part of the IT organisation. However, a Chief Technology Officer or IT Director often also has an innovation agenda. Innovation requires funding, but so does information security. Where these two diverge, they can come into conflict with each other. And then the question arises: is there still enough budget for the CISO and his information security agenda? Interestingly, over the years, security departments have come to realise that the legal department can help them to emphasise the importance of information security. After all, from a legal or risk perspective, there is a desire to protect data properly, regardless of whether that desire stems from the GDPR, NIS2, the Critical Entities Resilience Directive (CER), or from a supervisory authority. So lawyers and IT professionals had to build bridges between them, the ‘alphas’ and the ‘betas’ had to learn to speak the same language. In other words: the lawyer must move to technology, and the technician must move towards better understanding and helping to implement the legal obligations. It is, by the way, exactly the reason why I joined Deloitte a year ago, to bridge that gap. I absolutely see these two functions as interdependent."
And what happens if those two functions don't talk to each other?
"Then you run the risk of non-compliance to begin with. But there is more to it. If no bridge is built between the law and daily practice, things will fall out of sync, and departments will begin pointing fingers at each other. This creates operational risks, but under NIS2, also liability risks for the boards. Of course, several disciplines are represented on most boards, the CEOs, CFOs, CIOs, General Counsel, etc. will often bear joint responsibility. And that's a good thing."
"Lawyer and technician:
they are interdependent."
You mentioned chain responsibility. How do you look at that?
"It is usually the lawyers who negotiate with supply chain partners, not their colleagues from the information security teams. If the lawyers would only pay attention to legal risks, liabilities and indemnities, you would get a nice contract. But as long as you don't also consider information security requirements, you are probably not yet compliant. If something goes wrong at a third party that indirectly falls under NIS2, then you do have a problem. For example: if a supermarket chain has outsourced its supply to a logistics partner and that partner is hacked, the management of that supermarket can still bear a certain degree of liability. This is a situation in which you want to be able to rely on a solid and comprehensive contract, not just on the law. And in that contract, information security must also be properly addressed, which again, requires close collaboration between lawyers and information security professionals."
Is this a common issue in many organisations?
"Companies and institutions are currently working hard to build professional teams that focus on data, information security and compliance with related laws and regulations. These organisations often have a long way to go. It is important to realise that this is not only about compliance with NIS2 and the CER-Directive but also, for example, the AI Act and the Data (Governance) Act. There is still a lack of familiarity with this domain, and setting up the entire framework often comes at significant cost. For large companies, this may not be an issue, but in the Netherlands, an estimated 60,000 companies fall under NIS2, the majority of which are SMEs of all shapes and sizes — and each with its own risk profile. They will have to put in serious effort, as Europe still has a lot of catching up to do in the field of information security. And then there’s also the delay in transposing the NIS2 directive into Dutch law. But let's not forget what this is all about: ultimately, NIS2 exists to protect our critical infrastructure! The Netherlands is a highly open networked society with all the vulnerabilities that come with it. Over the past decades, we have not been sufficiently aware of the risks."
Back to the boards and directors. What do they need?
"Directors already had a responsibility for their task and bore general managerial responsibility, but in practice, the threshold for being held accountable was quite high. However, things are now changing: under NIS2, directors are also individually liable for the information security aspect of their company. Those directors must therefore be trained in information security. What does the threat landscape look like? Where are the major risks? This already requires a lot of knowledge. But you must also be able to assess whether the CISO is taking the rights steps and making progress. If you have to sign off on the information security policy, you have to understand both the policy and the reporting done on information security."
Any final words of wisdom?
"I would like to say, particularly to lawyers: make sure you can think proactively and strategically. And don't just think solely from a legal perspective: this topic requires risk-based thinking, thinking in different levels of risk. And that is only possible if you are able to think along with your CISO on both a technical and operational level. In the end, you are allies and there needs to be a bridge between them."
In this episode, we will discuss what NIS2 means in the field of directors' liability. What can you do as a director and what do you have to do now? Lokke Moerel and Sebastiaan ter Wee will discuss this with each other under the guidance of Shay Danon.
Opens in new window
