03 Feb '23
On 27 December 2022, the NIS2 directive, the cybersecurity directive for the vital sectors, was published. It is now up to member states to transpose this comprehensive directive into national law. By October 2024, the directive must be transposed and national law under the NIS2 must be applied.
In the meantime, the national legislative process has to be completed, regulators have to get ready and the vital sectors have to implement the cybersecurity rules. Waiting is then not an option. Indeed, implementing these rules on time is actually positive for the European economy, according to Moody's.
The first cybersecurity directive (NIS1) applies to seven sectors. The NIS2 applies to as many as 18 sectors. And a legitimate and common question is; what will the oversight look like? Who will supervise which sector?
Currently - February 2023 - the following authorities are supervising the Security of Network and Information Systems Act (Wbni), which is the Dutch implementation of NIS1 Directive (see here).
These authorities are now designated as regulators for their specific sectors. Article 8 of the NIS2 stipulates that each Member State shall itself designate or establish one or more competent authorities. Those authorities will then be responsible for cybersecurity and entrusted with the supervisory tasks under the NIS2 directive. The already existing and possibly new supervisory authorities will have their place in the Wbni. It is therefore good for all existing and new sectors to keep an eye on developments in that area, to determine who will soon come to test your cybersecurity policy.
Special in that context is that the Wbni covers more (and increasingly more) than the implementation of European cybersecurity rules. For instance, the national legislator has also designated other sectors not covered by the NIS directive. Think, for example, of the ‘waterflood infrastructure’ and 'nuclear' sectors. In this sense, the Wbni is used for more components than implementation the NIS1 and NIS2 directives.
Besides the sectors identified as vital, the Wbni also provides rules that deal with the non-vital sectors. Those rules are not about security requirements they have to comply with, but about a legal basis to share threat information.
Indeed, until 1 December 2022, the National Cyber Security Centre (NCSC) was not allowed to share readily available threat information with companies outside the vital sectors covered by the NCSC. From 1 December 2022, a change in the law came into force that does allow this. It is therefore possible that your company - if not part of a vital sector - can still receive very specific threat information from the NCSC about a possible incident.
In addition, from 1 December 2022, a provision (section 20(2)(a) Wbni) also came into force that allows the NCSC to share threat information with so-called 'switching organisations'.
These organisations have been designated as link organisations through the Minister of Justice and Security and the NCSC. They are currently - February 2023 - the following organisations.
In summary; developments are following each other in rapid succession. Unfortunately, this is also desperately needed because the threats are not imaginary but real. So the cybersecurity landscape is legalising just as fast. If you want to know more about this, broadly, in more detail or specifically what this means for your organisation, we are at your service.
Contact
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.