On 16 January 2023, the so-called "NIS-2" Directive entered into force.

It replaces the 2016 NIS-1 Directive (transposed into the 2019 NIS-1 Act), which is often called the very first cybersecurity legislation in the world.

The proposal for the new NIS directive was tabled by the European Commission in December 2020. After a swift negotiation process, the final text was adopted by the Council and the European Parliament two years later, and published on 27 December 2022 and went into effect 20 days later. Our country now has 21 months, until 17 October 2024, to transpose the NIS-2 directive into national legislation.

We already discussed why NIS-1 needed an update and what the discussion points were, here.

In essence, this NIS-2 directive aims at the same three goals as its predecessor, but this time much more and more comprehensively than in 2016:

• National governments need to invest more capacity in cybersecurity;
• More European cooperation between cybersecurity authorities is required;
• A much larger number of important operators, in more critical sectors of our society, have to take (even more) safety measures and report significant incidents.

The biggest expansion is found under the third objective. Whereas NIS-1 had 6 sectors, 12 sectors are now being added (including government services, the food, chemical and manufacturing industries and also the energy and health sector are seeing an increase in the types of organizations). In addition to active selection by governments, (as a minimum) all large and medium-sized organizations must meet the obligations. These are all organizations with more than 50 employees or with an annual turnover of 10 million euros that are active in these sectors. In Belgium, we will therefore see an increase from about 100 to about 2500 NIS entities.

In addition, significant incidents must now be reported in 3 stages:

• an early warning within 24 hours (if the incident may spread further);
• a full notification within 72 hours (similarly as for the GDPR);
• a final report within the month.

The directive also provides a list of general risk management measures for organizations, which each member state will develop further.

Large companies in the most critical sectors ('essential entities') will be more strictly controlled. There will also be more severe more specific sanctions rules (which in extreme cases can amount to 10 million EUR in fines). And the top management of each entity will be the focus of greater awareness raising, so that cybersecurity becomes a real boardroom issue.

NIS-2 contains many (new) elements and nuances. For more detailed information about the various aspects and obligations that are coming: see NIS2 page on our website. The full text of the Directive can be found online.

In the meantime, the CCB has started consultations for implementing this directive, with a view to presenting a new Belgian NIS Act before October 2024. Obligations for organizations will take effect at the end of 2024, but of course it is better for them to start increasing their cyber security as soon as possible. In the coming weeks, the CCB will publish a framework with concrete and practical safety objectives for organisations, and later this year a platform will be launched to streamline the CCB's sharing of recommendations and information about threats. Together, we can make Belgium one of the least cyber-vulnerable countries in Europe.