What is the NIS 2 Directive?
The NIS 2 Directive is the latest cybersecurity regulation from the European Union, designed to strengthen the protection of essential and important entities. It builds on the original NIS Directive from 2016, which was the first EU-wide legislation focusing on improving cybersecurity. The NIS 2 Directive introduces stricter requirements and extends its scope to cover a broader range of sectors, and include (digital) service providers, considered essential to the functioning of the economy and society.
Why was NIS 2 introduced?
NIS 2 was created to address the growing sophistication of cyberthreats and to close the gaps identified in the original NIS Directive. As technology advances and Europe becomes more interconnected, cyberattacks pose greater risks to society, the economy, and national security. The NIS 2 Directive aims to improve the EU's collective ability to prevent, detect, and respond to cyberincidents by ensuring that member states and businesses adhere to higher security standards and cooperate more effectively.
Key differences between NIS 1 and NIS 2?
While the original NIS Directive laid a foundation, NIS 2 takes it further by :
- broadening the scope to include more sectors and entities as well as (digital) service providers;
- introducing stricter risk management requirements (and other relevant obligations);
- more comprehensive reporting obligations (including in case of incidents);
- placing greater accountability on governing bodies with explicit provisions on governance and liability (for example high fines for non-compliance);
- strengthening enforcement powers for national supervisory authorities;
- emphasising the importance of cooperation and information sharing between EU countries, ensuring a unified response to cybersecurity threats.
Please note that this list is not exhaustive.
Implementation within the EU is important
The NIS 2 Directive seeks to reduce fragmentation and inconsistencies across the EU by promoting closer cooperation among member states. Differences in national approaches to cybersecurity can weaken the overall security framework, leaving some countries more vulnerable to cyberattacks. Given that cyberthreats do not stop at national borders, the directive aims to ensure a minimum level of protection across all member states, recognising that cybersecurity is only as strong as its weakest link.
Our focus on the BENELUX
By 17 October 2024, Member States had to adopt and publish the measures necessary to comply with the NIS 2 Directive, i.e. in order to transpose the NIS 2 Directive into national legislation. Belgium, the Netherlands, and Luxembourg are currently progressing to align their national legislation with the NIS 2 Directive. Here's a closer look at each country's progress in transposing this directive:
1. Belgium
In Belgium, the relevant transposing law, the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, took effect on 18 October 2024. It updates the Belgian legal framework on cybersecurity by replacing the Law of 7 April 2019, which established a framework for the security of networks and information systems of general importance for public safety. The new text is accompanied by the Royal Decree of 9 June 2024, which implements its provisions, such as designating the Centre for Cybersecurity Belgium as the national cybersecurity authority.
2. The Netherlands
The Cyberbeveiligingswet [Cyber Security Act] is intended to encompass the NIS 2 rights and obligations in the Netherlands. The Dutch legislative process – to transpose the NIS 2 Directive into the Cyberbeveilgingswet - is still in its (relatively) early stages. Between 21 May and 2 July 2024, a public consultation on the draft national act gathered approximately 150 responses from citizens, businesses, and government entities, which will lead to necessary adjustments before the parliamentary review begins in the Netherlands.
In its letter dated 16 October 2024, the Minister of Justice and Security has communicated to the Dutch Parliament that he aims to submit the draft national act to the Council of State for its advice in the fourth (and last) trimester of 2024. Following receipt of such advice, the Minister aims to submit the draft national act to the Dutch Parliament in the first trimester of 2025 with the ambition of having the Cyberbeveiligingswet enter into force in the third trimester of 2025. This effectively means that the implementation in the Netherlands may be delayed by (at least) one year counting from 17 October 2024. The recent letter of the Minister of Justice and Security addresses what this means for the applicability of the NIS 2 Directive in the Netherlands in the meantime.
3. Luxembourg
In Luxembourg, the transposition of the NIS 2 Directive is still in progress and has not yet entered into effect, as the country is currently in the consultation phase. On 13 March 2024, a draft law n° 8364 was submitted to the Luxembourg Parliament and is now under review by a parliamentary committee.
The Luxembourg Institute of Regulation will serve as the supervisory authority for cybersecurity matters in Luxembourg. The Luxembourg Institute of Regulation will be the primary point of contact for inquiries related to preventive security measures and will also be responsible for receiving notifications of security breaches concerning critical infrastructures.
A step forwards a safer digital Europe
The NIS 2 Directive represents a significant leap forward in Europe’s fight against cybercrime. With stricter regulations, wider coverage, and emphasis on international cooperation, it is a critical step in protecting the digital infrastructure that powers modern society. For businesses, NIS 2 is not just a legal obligation but also an opportunity to strengthen their defences against the evolving threat landscape.
Stay tuned for further blogposts in which we will explore the specific requirements and obligations introduced by NIS 2 and how they will be enforced locally.
If you need advice or guidance on navigating this new regulation, our experienced team across the Benelux region is here to help your business comply with the upcoming requirements.
What is the NIS 2 Directive?
The NIS 2 Directive is the latest cybersecurity regulation from the European Union, designed to strengthen the protection of essential and important entities. It builds on the original NIS Directive from 2016, which was the first EU-wide legislation focusing on improving cybersecurity. The NIS 2 Directive introduces stricter requirements and extends its scope to cover a broader range of sectors, and include (digital) service providers, considered essential to the functioning of the economy and society.
Why was NIS 2 introduced?
NIS 2 was created to address the growing sophistication of cyberthreats and to close the gaps identified in the original NIS Directive. As technology advances and Europe becomes more interconnected, cyberattacks pose greater risks to society, the economy, and national security. The NIS 2 Directive aims to improve the EU's collective ability to prevent, detect, and respond to cyberincidents by ensuring that member states and businesses adhere to higher security standards and cooperate more effectively.
Key differences between NIS 1 and NIS 2?
While the original NIS Directive laid a foundation, NIS 2 takes it further by :
- broadening the scope to include more sectors and entities as well as (digital) service providers;
- introducing stricter risk management requirements (and other relevant obligations);
- more comprehensive reporting obligations (including in case of incidents);
- placing greater accountability on governing bodies with explicit provisions on governance and liability (for example high fines for non-compliance);
- strengthening enforcement powers for national supervisory authorities;
- emphasising the importance of cooperation and information sharing between EU countries, ensuring a unified response to cybersecurity threats.
Please note that this list is not exhaustive.
Implementation within the EU is important
The NIS 2 Directive seeks to reduce fragmentation and inconsistencies across the EU by promoting closer cooperation among member states. Differences in national approaches to cybersecurity can weaken the overall security framework, leaving some countries more vulnerable to cyberattacks. Given that cyberthreats do not stop at national borders, the directive aims to ensure a minimum level of protection across all member states, recognising that cybersecurity is only as strong as its weakest link.
Our focus on the BENELUX
By 17 October 2024, Member States had to adopt and publish the measures necessary to comply with the NIS 2 Directive, i.e. in order to transpose the NIS 2 Directive into national legislation. Belgium, the Netherlands, and Luxembourg are currently progressing to align their national legislation with the NIS 2 Directive. Here's a closer look at each country's progress in transposing this directive:
1. Belgium
In Belgium, the relevant transposing law, the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, took effect on 18 October 2024. It updates the Belgian legal framework on cybersecurity by replacing the Law of 7 April 2019, which established a framework for the security of networks and information systems of general importance for public safety. The new text is accompanied by the Royal Decree of 9 June 2024, which implements its provisions, such as designating the Centre for Cybersecurity Belgium as the national cybersecurity authority.
2. The Netherlands
The Cyberbeveiligingswet [Cyber Security Act] is intended to encompass the NIS 2 rights and obligations in the Netherlands. The Dutch legislative process – to transpose the NIS 2 Directive into the Cyberbeveilgingswet - is still in its (relatively) early stages. Between 21 May and 2 July 2024, a public consultation on the draft national act gathered approximately 150 responses from citizens, businesses, and government entities, which will lead to necessary adjustments before the parliamentary review begins in the Netherlands.
In its letter dated 16 October 2024, the Minister of Justice and Security has communicated to the Dutch Parliament that he aims to submit the draft national act to the Council of State for its advice in the fourth (and last) trimester of 2024. Following receipt of such advice, the Minister aims to submit the draft national act to the Dutch Parliament in the first trimester of 2025 with the ambition of having the Cyberbeveiligingswet enter into force in the third trimester of 2025. This effectively means that the implementation in the Netherlands may be delayed by (at least) one year counting from 17 October 2024. The recent letter of the Minister of Justice and Security addresses what this means for the applicability of the NIS 2 Directive in the Netherlands in the meantime.
3. Luxembourg
In Luxembourg, the transposition of the NIS 2 Directive is still in progress and has not yet entered into effect, as the country is currently in the consultation phase. On 13 March 2024, a draft law n° 8364 was submitted to the Luxembourg Parliament and is now under review by a parliamentary committee.
The Luxembourg Institute of Regulation will serve as the supervisory authority for cybersecurity matters in Luxembourg. The Luxembourg Institute of Regulation will be the primary point of contact for inquiries related to preventive security measures and will also be responsible for receiving notifications of security breaches concerning critical infrastructures.
A step forwards a safer digital Europe
The NIS 2 Directive represents a significant leap forward in Europe’s fight against cybercrime. With stricter regulations, wider coverage, and emphasis on international cooperation, it is a critical step in protecting the digital infrastructure that powers modern society. For businesses, NIS 2 is not just a legal obligation but also an opportunity to strengthen their defences against the evolving threat landscape.
Stay tuned for further blogposts in which we will explore the specific requirements and obligations introduced by NIS 2 and how they will be enforced locally.
If you need advice or guidance on navigating this new regulation, our experienced team across the Benelux region is here to help your business comply with the upcoming requirements.