What does the NIS2 Act mean for your company’s cybersecurity?

Since Oct. 18, 2024, the so-called “Directive on measures to ensure a high common level of cybersecurity in the Union” (in short, “the NIS2 Directive”) has been transposed into Belgian law (the “NIS2 Act”), potentially bringing with it a number of new obligations for companies.

What is the NIS2 law?

“NIS” stands for “Network and Information Systems” (i.e., cybersecurity). NIS2 is the successor to the old NIS1 Directive. However, that Directive’s scope was too limited and cyber threats continued to increase. NIS2 aims to remedy this by significantly expanding the scope and obligations, as well as providing sanction mechanisms to encourage companies to make cybersecurity an important issue.

Who is covered by the NIS2 law?

The NIS2 Act applies to entities (companies and government agencies) that cumulatively meet the following conditions:

• Be active within one of the “critical” industries listed in NIS2. These include banking, energy, digital providers, healthcare, government, postal and courier services, etc.;
• Have a certain size, namely employ at least 50 employees or have an annual turnover of more than 10 million euros.

Although the number of entities to which the law applies seems limited, however, the impact of the NIS2 law is significant. Entities that comply with these requirements will also have an obligation under the new law to oversee the cybersecurity of their so-called “supply chain.” This means that any suppliers or service providers of such entities may also be indirectly subject to the obligations of NIS2 (in their contractual relationships).

What are these obligations under the NIS2 law?

First, entities covered by the scope (see below) must take so-called “technical, operational and organizational measures” to manage the risks to the security of the network and information systems they use in the course of providing their services, in order to avoid the risk of incidents (or at least mitigate their consequences). Second, there is a reporting requirement, whereby any significant incident must be reported immediately to the competent national authorities. A “significant incident” is defined as “any incident that has a significant impact on the provision of any of the services in the relevant sectors of NIS2” and that :

• Has caused (or may cause) serious operational disruption to any of the services in the affected industries or financial losses to the affected entity; or
• affected (or may affect) other natural or legal persons by causing significant material or immaterial damage.

Third, subject entities must register with the Center for Cybersecurity Belgium (CCB). Most entities subject to NIS2 must register within 5 months of the NIS2 law coming into force, i.e., by March 18, 2025. However, certain entities must register before December 18, 2024. These are mainly providers of online search engines, online marketplaces, cloud computing services, etc.

Board liability

The NIS2 law also introduces a special form of board liability. If an entity is subject to NIS2, then the governing body must approve (and oversee) measures to manage cyber risks. In addition, directors of subject companies must also have the necessary knowledge to identify any risks. Failure to do so threatens liability for the directors.

What does this mean for your business?

The NIS2 Act mainly targets medium and large enterprises within certain (critical) sectors. If your company provides products or services to companies active in the aforementioned sectors, your company may indirectly fall under the NIS2 Act, especially if your services are essential for the operation of critical systems (e.g. IT services, security services,…). In summary, it is advisable for each company to check whether it falls (directly or indirectly) within the scope and, if so, to take the necessary measures.

Our PKF BOFIDI Legal experts are at your service

For further questions around cybersecurity, feel free to contact our PKF BOFIDI Legal team and we will be happy to assist you. This article was written by Lauranne Piotrowski, who specializes in intellectual property, IT, data protection and privacy.