NIS2 Act: companies must be more alert to the issue of cybersecurity

PKF BOFIDI Legal   |  

<< Terug naar B-CONNECTED

Since 18 October 2024, the so-called “Directive on measures for a high common level of cybersecurity across the Union” (in short, “the NIS2 Directive”) has been transposed into Belgian law (the “NIS2 Act”) and that may entail a number of new obligations for companies.

What is the NIS2 Act?

“NIS” stands for “Network and information systems” (i.e. cybersecurity). NIS2 is the successor to the old NIS1 Directive. However, the scope of that Directive was too limited, which meant that cyber threats continued to increase.

NIS2 aims to address this by, among other things, significantly expanding the scope and obligations, as well as providing sanction mechanisms and thus encouraging companies to make cybersecurity an important topic.

Who is covered by the NIS2 Act?

The NIS2 Act applies to entities (companies and government agencies) which cumulatively meet the following conditions:

  • Are active within one of the ‘critical’ sectors listed in NIS2. These include banking, energy, digital providers, healthcare, government, postal and courier services, etc.;
  • Are a certain size, i.e. have at least 50 employees or an annual turnover of more than 10 million euros.

Although the number of entities to which the act applies appears limited, the impact of the NIS2 Act is nevertheless significant.

Under the new legislation, entities which meet these conditions will also be obliged to monitor the cybersecurity of their so-called “supply chain”.

This means that all suppliers or service providers of such entities may also be indirectly subject to the obligations of NIS2 (in their contractual relationships).

What are those obligations under the NIS2 Act?

Firstly, entities falling within the scope (see below) must take so-called “technical, operational and organisational measures” to manage the security risks to the network and information systems they use in the context of providing their services in order to avoid the risk of incidents (or at least to limit their consequences).

Secondly, there is a reporting requirement, whereby any significant incident must be immediately reported to the competent national authorities. A “significant incident” is defined as “any incident that significantly affects the provision of one of the services in the affected sectors of NIS2” and that:

  • has caused (or may cause) serious operational disruption of one of the services in the affected sectors or financial losses for the affected entity; or
  • has affected (or may affect) other natural or legal persons by causing significant material or immaterial damage.

Thirdly, the subject entities must register with the Centre for Cybersecurity Belgium (CCB).

Most entities subject to NIS2 must register within 5 months after the entry into force of the NIS2 Act, i.e. no later than 18 March 2025. However, certain entities must register before 18 December 2024. These are mainly providers of online search machines, online marketplaces, cloud computing services, etc.

Directors’ liability

The NIS2 Act also introduces a special form of directors’ liability. If an entity is subject to NIS2, then the administrative body must approve (and also monitor) measures for managing cyber risks. In addition, directors of subject companies must also have the necessary knowledge to identify any risks. Failure to do so threatens liability for the directors.

What does this mean for your company?

The NIS2 Act is primarily focused on medium-sized and large companies within certain (critical) sectors.   

If your company provides products or services to companies active in the above-mentioned sectors, your company may indirectly fall under the NIS2 Act, especially if your services are essential for the operation of critical systems (e.g. IT services, security services, etc.).

In summary, it is advisable for every company to check whether it falls (directly or indirectly) within the scope and, if so, to take the necessary measures.

Our PKF BOFIDI Legal experts are at your service

For any further questions regarding cybersecurity, please feel free to contact our PKF BOFIDI Legal team and we will be happy to help you.

This article was written by Lauranne Piotrowski, specialising in intellectual property, ICT, data protection and privacy.

Previous

«

Next

»