Participate in Deloitte's NIS2 Applicability Assessment
Join Deloitte's NIS2 Boardroom Training
Simone Pelkmans has been a partner at Deloitte since the end of 2021 and leads the Digital Regulations team: that team advises on the implementation of European regulations in the field of data, cyber, AI and digital platforms. Previously, she worked as a lawyer at Unilever for 22 years, of which the last 9 years as Board member and General Counsel of the Global Foods business and Unilever Benelux. Simone started her career as an IP and corporate lawyer at NautaDutilh, where she worked for 4.5 years.
Opens in new window
"NIS2 was adopted at the end of 2022 and is part of a broader package of European regulations. It is good to realise that there is overlap in the obligations that companies will have under the various new rules - so there is also synergy to be gained by including all applicable regulations in the analysis. Within that palette, NIS2 is the directive to strengthen the digital and economic security and resilience of the European member states and to limit the consequences of cyber incidents. This Directive focuses on the essential and important parts of the European economy and society. The individual countries translate the directive into their own national regulations. Some countries have already done so, but the Netherlands will not be able to achieve the transposition of NIS2 into the Network and Information Systems Security Act before the set implementation date of 18 October. However, we already know what we need to comply with, because NIS2 was originally written as a regulation. This means that the material requirements will be virtually the same in each country. So everyone can get started now."
"First of all, NIS2 is a board responsibility. Directors, supervisory directors, supervisors: they must understand and support the importance of NIS2. Boards need to gain a better understanding of cybersecurity in their organisation, be involved in formulating policy and allocate resources. Another obvious party: the Chief Information Security Officer. CISOs and their IT departments are indispensable when it comes to ensuring information security. They can translate the NIS2 directive into specific measures for the organisation. The IT department can take care of the technical implementation of security measures. And they need to work with the information security team again to ensure that systems and networks meet the new requirements. Then, of course, there's the legal department. They can analyse the NIS2 directive and advise on the legal implications for the organisation. They can also draw up the policy documents and contracts."
"You can certainly also think of the risk management department. The risk management team should identify the risks your organisation faces related to network and information systems. They can help to prioritise security measures. And then there are the various operational departments, such as production, logistics and customer service. It is good to involve them in identifying critical systems and processes as well. They can provide input on the impact of security measures on their day-to-day operations. And don't forget the communications department: awareness is one of the most important elements in creating cyber resilience. So communication to internal and external stakeholders is of great importance, but so is employee training. And in the event of an incident, it is essential that the communications department can switch quickly. In any case, the best approach is to work closely together in multi-disciplinary teams."
NIS2 a new stick to beat with? On the contrary, it is a tool.
"With these new developments, there is a lot coming at us and no one can oversee all those rules and their consequences on their own. You really need the various areas of expertise in the organisation to come up with a coherent, comprehensive and well-substantiated plan. At Deloitte, for example, my Digital Regulations team works together with the people from cyber strategy, with the legal specialists, with our CISO and our CTO. In addition, we also provide internal training, for example, to ensure that the most important elements also penetrate deeper into the organisation."
"First, take stock of what you already have. What plans, strategies, agreements and resources are already in place that contribute to our cyber resilience? Do we already have a risk management system in place? Do we think that system is good enough or are we already seeing new risks that we were not aware of before? Next, look at: what are the biggest risks for us? Based on such an assessment, you will get an idea of where any gaps are. Then formulate your strategy: how are you going to close those gaps? Which one do you tackle first? And what I also often advise: also mention why you are not yet doing certain things. After all, you can't tackle everything at once, so put down on paper why certain things have been given a lower priority. That at least makes the process, for example also for a supervisor, transparent."
"No, that's a misunderstanding. However, it can be more complex for international companies to formulate an unambiguous policy. For example, you will need the bottom-up input of the individual countries to get a picture of how the different countries are doing. How mature are cybersecurity and resilience by country? You also need to have a good overview: what is the scope of your organisation and what are the different activities per member state? Think of a food producer who markets products in one country, but only transports them in another. These are issues that arise not only for Dutch companies with foreign branches, but also, for example, for non-European companies operating in the EU. Or suppose you have recently taken over a company that still operates more or less independently. Even in that situation, it is important that you have a clear picture of the state of affairs there. Are they on the same level when it comes to cybersecurity or does it deviate? Only when you know that can you decide what measures you need to take."
"I understand that people can have a certain Pavlovian reaction: 'The Netherlands is not yet finished with the introduction of these rules, so we can wait and see'. But then you're missing out on a big opportunity. It is not for nothing that cybercrime is now in the top three of greatest risks for most organisations. Ultimately, the new rules are intended to make organisations more resilient and we will have to comply with them no matter what. So avoid rushing work that will probably also be more expensive and make use of the extra time you have left. I prefer to approach it positively. NIS2 helps make your business safer and healthier. It can also take you to a higher level of knowledge. And it's certainly not a stick to beat with. On the contrary, it is an effective tool. Think of it as tailwind instead of headwind."
In this first episode, we welcome Simone Pelkmans, partner in Deloitte's Risk Advisory team and Bart Groothuis, Member of the European Parliament on behalf of the VVD and co-founder of NIS2. Why is this regulation so essential? What are the points of attention for organisations? Find out in this first episode on NIS2, hosted by Shay Danon.