In recent years, the European Union (EU) worked on a set of regulations for a safer digital environment. The importance of security will emerge with the advent of the NIS-directive1, and its transposition into Belgian law applicable as from 3 May 20192. With the NIS-directive the EU wants to harmonize the minimal level of security of network and information systems. More attacks on critical infrastructures are happening. After all security is just like the current market, a cross-border issue.
Who must comply?
The NIS directive applies to:
1.Operators of essential services established in the EU (e.g. electricity suppliers, airlines, railway infrastructure managers and financial institutions). Your organization is an operator of essential services if you meet the following three criteria:
- The entity provides a service which is essential for the maintenance of critical societal and economic activities;
- The provision of that service depends on network and information systems; and
- A security incident would have significant disruptive effects on the essential service.
2.Digital service providers who are established in the EU or provide services to people within the EU and have an EU representative (all providers of online marketplaces, online search engines and cloud services).
Consequences of non-compliance
The NIS-directive foresees both criminal (in court) and administrative (with fines) sanctions for operators of essential services and digital service providers that do not comply with the obligations.
How to comply with NIS?
The NIS-directive is all about preventing incidents with the appropriate technical and organizational measures and reporting incidents to the right authority when they occur. Your organization must:
- take technical and organizational security measures that can avoid incidents or limit their impact. An “Incident” refers to any event that has or may have a real negative impact on the security of network and information systems;
- have a security policy (“I.B.B.”);
- report an incident as soon as it occurs.
According to Belgian legislation, ISO27001 and ISO22301 (BCM) certifications are adequate standards in order to meet these requirements. The certification ensures that you comply with the NIS-directive. They certify that the necessary steps within your organization towards security are taken.
So let’s stop talking about security and start implementing!
[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
[2] 7 APRIL 2019. – Law establishing a framework for the security of network and information systems of general interest for public security
