On 18 October 2024, the new NIS2 Law will enter into force. This new law, which, according to an EU legislative initiative, aims to boost the level of cybersecurity in our country and will certainly affect many businesses directly.
What’s important is that the new NIS2 Law has a very broad scope of application and imposes specific obligations on both private companies and government bodies that are in scope.
In this newsletter, we’ll guide you pragmatically through the new rules so that you can gain a deeper understanding of how the NIS2 could impact your business.
Let us zoom in on the following topics:
- What is the NIS2 Law exactly?
- What sectors and businesses must certainly put NIS2 on their agenda?
- What are the requirements under NIS2?
- How strict are the NIS2 sanctions?
- Side note: will you remain out of harm’s way?
- SOS NIS2
1. The NIS2 Law: what does the acronym stand for?
In a world where cybersecurity is becoming increasingly important, the Belgian legislature introduced the NIS2 Law. “NIS” stands for “Network and Information Security.” The objective of NIS2 is clear: to improve digital resilience of EU Member States by working towards greater harmonization and a higher level of information security and cybersecurity in private and public organizations.
The NIS2 Law is the Belgian implementation of the EU NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union). The NIS2 Law amends the earlier NIS1 legislation and broadens the scope of application considerably.
2. To whom does the NIS2 apply?
Whether your organization (a private or public entity) falls under the scope of the NIS2 Law depends on three criteria: the sector you’re in, the size of your organization, and your connection with Belgium.
At first glance, NIS2 applies to entities that are active in a sector that is listed in annex I and II of this law. Some examples of the listed sectors are: transport, energy, healthcare, digital infrastructure, ICT service management (B2B), and digital service providers.
Government authorities and public agencies can also fall under the scope of NIS2 as soon as they mainly carry out activities within one of the mentioned sectors. Hospitals, transport companies, or public-law-governed ICT service providers, for example, will not be able to dodge it.
Besides the sector in which you operate, the size of the entity is also important for determining the applicability of the NIS2 Law. In principle, the NIS2 Law applies if an entity has at least 50 full-time employees (or equivalent) on its payroll and generates more than EUR 10 million in revenue a year. But note that NIS2 provides for numerous exceptions to these requirements, so the size of a company is not always conclusive in determining the applicability of the NIS2 Law.
NIS2 applies to Belgium-based entities that provide services within the EU. There are exceptions to this as well, which apply to certain types of service providers.
Do you want to know if your company falls within the scope of this law’s application? Let Monard Law’s experts provide you quickly and efficiently with more certainty about it.
3. What obligations does the NIS2 Law impose?
Once you have determined conclusively whether you fall under the scope of NIS2, it is important to know what specific obligations apply to you and, even more importantly: what impact does this have on your business?
Let us explain more about what you can expect from it.
If your organization falls within the scope of the NIS2 Law, you must fulfil several obligations:
- Registration
You must register your company on the Safeonweb@Work platform. For most organizations, the deadline for this is 18 March 2025.
- Cybersecurity measures
You must take appropriate technical and organizational measures to manage cyber risks.
- Notifying incidents
Major incidents must be notified to the national task force at the Centre for Cybersecurity Belgium (CCB) known as the Cyber Emergency Response Team (CERT) within 24 hours. There are specific procedures to follow when notifying incidents and following up on them.
- Management responsibilities
The governing body of your organization must approve the cybersecurity measures and monitor how they are implemented. Moreover, members of the governing body must undergo appropriate training.
The scope of these obligations can vary depending on whether an entity’s activities are qualified as being essential or important. For example, the “appropriate” cybersecurity measures for a company of a considerable size in an essential sector are obviously more extensive than those of a smaller market player in a less essential sector.
4. Sanctions: what are the specific risks if you don’t comply with the NIS2 obligations?
As the title of this newsletter suggests: NIS2 is cybersecurity law that has teeth. Failure to comply with the NIS2 obligations can trigger different measures and sanctions for the entities and their directors.
Besides recommendations and orders, the authorities responsible can enforce the NIS2 obligations by imposing fines of up to EUR 10 million or up to 2% of the entity’s total worldwide turnover in the previous year. The authorities responsible can also order a temporary suspension of an accreditation or authorization/permit relating to the services provided or activities run by the incorrigible entity.
Non-compliance with the NIS2 obligations affects not only the entity but also its governing bodies. This is because the NIS2 Law holds the governing bodies liable for NIS2 violations.
5. Side note: is it out of range but still in sight?
If you don’t fall within the scope of application of the NIS2, then you have some breathing room. However, that doesn’t mean that your company is not at risk at all. You should still investigate into the security of the systems that you are using every day.
It could also be useful to gather information about insurance options.
Plus, remember that if an entity does not immediately fall within the scope of NIS2, that does not automatically mean that it’s off the hook. Important business partners in your commercial relationships could well fall within scope and will directly have an impact on you. For example, if your supplier must invest in extra security measures, that can affect the prices that you both had agreed on. In addition, you’ll need to give narrowly worded liability clauses the required attention to prevent certain risks from being allocated unfairly.
6. Conclusion
The NIS2 Law brings along major changes for many Belgian organization. It is crucial to determine whether your organization falls within the scope of the NIS2 Law, and if it does, to take the necessary steps to become compliant. By being proactive, you can fulfil the requirements under the law and boost the cybersecurity of your organization significantly.
Monard Law is eager to support you by helping you identify your legal obligations under the NIS2 Law. With that, your company can minimize its legal risks and the economic impact that cybercrimes can have on you daily business operations.
If you can no longer see the forest for the trees, did you know that getting specialized support could also be subsidized (entirely or partly)? We’ll gladly explain to you about all the possibilities.
