The European Union (EU) is making significant efforts to enhance the cyber resilience level of European companies in essential sectors. Following the introduction of NIS1 in 2016, the EU now presents the second revised Directive on security of network and information systems (NIS2). This new directive encompasses more sectors that are vital for the economy and society and clarifies which companies are part of an essential sector. Evert Stamhuis, Professor of Law & Innovation at Erasmus School of Law, and Wouter Scherpenisse, PhD candidate at Erasmus School of Law, explain the new directive and its importance in an interview with Arts en Auto.
"Due to our strong interconnections in Europe, it is crucial that all countries operate at the same high level of security," Stamhuis begins. "For example, in 2017, it became painfully clear when the Port of Rotterdam was shut down for a few days due to a ransomware attack called NotPetya. The rest of the EU was affected as well." NIS1 positively addressed European cyber risks, but differences arose between member states during national implementation. For instance, healthcare was considered an essential sector in Germany but not in the Netherlands. With the implementation of NIS2, this disparity will be eliminated as healthcare will be designated as an essential sector by Brussels.
Scherpenisse agrees this is a logical choice: "We observe an increasing threat, including in healthcare, where digitization has become a focal point. A few years ago, NHS hospitals in England were hit by a major cyber attack. The same can happen in the Netherlands." NIS2 impacts numerous companies and will increase the administrative and financial burdens on businesses. However, Scherpenisse sees it as an opportunity: "The potential impact is comparable to the introduction of the GDPR, but NIS2 should not be seen as a burden from Brussels. It is a step toward a digitally safer sector, even if not everyone perceives it that way. People only truly appreciate the importance of cybersecurity when it falls short."
At first glance, the new directive seems to apply only to companies with more than fifty employees and an annual turnover of ten million or more, but Stamhuis explains it differently: "That's the ripple effect. Since general practitioners, physiotherapists, and dentists are digitally connected to larger entities such as healthcare information system (HIS) providers, they must also take measures. This means, for example, attending cybersecurity training and offering it to their staff while demonstrating that everyone has completed the training."
Stamhuis advocates that companies assess whether their security policies align with NIS2 before the law takes effect in the Netherlands: "If not, you can work with your IT administrator to determine what is necessary to meet those standards." Scherpenisse adds that the new law will come into force in the Netherlands by 17 October 2024, and it is advisable to comply with the cybersecurity standards of NIS2: "Enforcement will not begin immediately the next day, but the regulator will have tools to enforce compliance. Entities under the NIS2 regime may face fines of up to ten million euros or two percent of their total annual turnover."
- Professor
- PhD student
- More information
Click here for the full article from Arts en Auto (in Dutch).