Skip to main content

Government organisations can already get started with NIS2

With the Network & Information Security 2 Directive (NIS2), the European Union is taking an important step in improving cyber resilience in critical sectors. A lot will soon change for governments as well. Elly van den Heuvel answers questions and provides practical tools that governments can already use today.
NIS2 Applicability Assessment

Participate in Deloitte's NIS2 Applicability Assessment

NIS2 Boardroom Training

Join Deloitte's NIS2 Boardroom Training

Elly van den Heuvel is Director Risk Advisory at Deloitte. In the past, she was director of the National Cyber Security Centre and secretary of the Cyber Security Council. She has extensive experience with complex issues in this field. Her focus: helping government and corporate executives take a strategic and integrated approach to their cyber resilience.

For starters, how does NIS2 fit into the bigger picture?

 

We are faced with a large portion of new European digital regulations. A few years ago, we had the General Data Protection Regulation with the aim of strengthening the privacy rights of citizens and regulations in the field of platform regulation, the Digital Markets Act and the Digital Services Act are now being added. In addition, agreement has been reached within Europe on the Artificial Intelligence Act and there are laws on cyber resilience. NIS2 is one of them, specifically aimed at strengthening cybersecurity and resilience in critical sectors within Member States.

 

Is NIS2 just another batch of rules?

 

"I understand that it can feel that way for governments and companies. It is true that there is a lot to be done and for many people they feel that this is on top of the existing work. But at the same time, it is also inevitable, especially when we see the threats of recent years in the digital field. We need to act now. The new European rules serve as the basis for a new Dutch law on digital security. This is currently being worked on. For the time being, this law will be submitted for consultation before the summer. But we certainly don't have to wait for that. The directive is very clear about what needs to be done."

What are the main changes?

 

"In short: compared to the current NIS, the new directive covers more sectors, including the Public Sector sector. It sets strict standards for digital security and there will be an obligation to report incidents. Organisations need to take action on their own cyber resilience. If you don't do that, it can have consequences for the continuity: not only of your own organisation, but also of other organisations in the chain of which you are a part. The EU is serious, because as a director you can be held personally liable and as a company you can be subject to hefty fines. And good to know: NIS2 does not look at isolated systems or organisations, in the renewed vision the vulnerability of cybersecurity is also between different networks, organisations, suppliers and other partners. So chain partners will also demand that you comply with the new legislation. And vice versa: you also have to set requirements for your suppliers."

 

Shouldn't we wait for Dutch law?

 

The Government sector is an example of a new sector that falls under NIS2. NIS2 applies to both the national government and municipalities. And although there were initially voices at the VNG to wait for more clarity and the renewed Government Information Security Baseline, there is still work to be done immediately. And that is not always easy, especially for smaller municipalities.

 

Can governments help each other?

 

"That's certainly possible. Let's take a side step to the business world: in practice, I see that many companies want to, but don't always know how to go about it. They ask themselves, "When are we doing enough? Where do we get the people who can take care of this for us?' And a pitfall that is all too human: once you have engaged an external party, it feels as if you have relinquished responsibility for your cyber security. Fortunately, we see more and more organisations helping each other. This is also necessary in the public sector and between the business community and governments."

Collaboration is essential for cyber resilience. No one can do this alone.

Does that have to do with security in the supply chain?

 

"Absolutely. NIS2 explicitly refers to the chain of suppliers and buyers. Wherever you work with partners, there is now a clearer responsibility than before: you will therefore also have to check whether they meet the required security criteria. And you should also think about alternative suppliers, in case a party doesn't meet your requirements. Cyber resilience is a multi-disciplinary matter, for example, involve the procurement, legal and communication departments in the implementation of NIS2. Internally and externally, collaboration is more essential than ever. No one can do this alone. You will have to work together on a solid and professional structure and build up sufficient trust. But don't forget: all these developments also offer new opportunities."

 

What are the opportunities offered by NIS2?

 

"In recent years, citizens' trust in the government has been under severe pressure. On the other hand, governments that now have their digital affairs in order, that handle data with care, contribute to the restoration of trust. And a second chance lies in the field of innovation. Once the digital foundation is in place, the application of new technologies becomes easier and more effective. Government agencies are offering more and more services digitally, everyone has started emailing, texting, chatting. New developments are moving at lightning speed, in fact we are constantly innovating. And a piecemeal approach to AI, for example... yes, of course that's not going to work. If you want to steer all these innovations in the right direction, it is essential that you also have digital security in place. Only then can you successfully embrace innovations."

 

What does the near future look like?

 

"Originally, it was planned that the Dutch version of NIS2 would come into force in October this year. We are not going to achieve that in the Netherlands, we are heading for the beginning of 2025. Still, as mentioned, you can get started. That is also how the regulators will look at it. They won't be knocking on your door the next day. So you don't have to meet all the requirements immediately. But you do have to be able to demonstrate that you have set things in motion seriously. And of course, in the end, those who do nothing can expect severe sanctions. So my main message is: make a good plan of action now.

 

What can governments already do in practice?

 

"You can already do a lot. For example, Article 21 of the directive is already quite clear about measures to be taken. And are you unsure whether you fall under NIS2? Then go to the website of the State Inspectorate for Digital Infrastructure, where you will find a practical tool to check this. There you will also find a quick scan that will help you to prepare for NIS2. Furthermore: immerse yourself in the matter. Have a NIS2 readiness assessment performed. Where do you stand in relation to the legal requirements? What still needs to be addressed? And what are the priorities? But NIS2 boardroom training is also in order. Members must invest in their own knowledge and skills so that they can make well-founded decisions, such as: what do we want or should we invest in?
And there are many more practical matters. Check the contracts with your current suppliers. Is it clearly described what you expect from each other and what you can count on? Also keep in mind that it's about more than what a CISO can do. Opt for a multi-disciplinary approach and involve the Purchasing and Communication departments, for example. If you take a multi-disciplinary approach, you will make the most impact. Can't figure it out? Give us a call, at Deloitte we are happy to think along with you. Incidentally, NIS2 should not even be the main reason to get started with this: strengthening cyber resilience is in the interest of the organisation anyway. So roll up your sleeves and get started today."

Also listen to the Podcast: NIS2 Next-Level Cyber Security

 

Host Shay Danon takes you into the world of the new NIS2 regulations with this Podcast. Together with top experts and influential guests such as Bart Groothuis and Hester Somsen, discover why these regulations are crucial and what your organisation needs to know and do to stay compliant. Stay abreast of the latest developments around NIS2 and learn how to take your cyber security to the next level.

#2 Deepdive NIS2 - Hester Somsen & Elly van den Heuvel

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey