A new cybersecurity legislation: What is NIS?

The European NIS directive became Belgian law on May 3d. It provides legal measures to boost the security of network and information systems (NIS) that are of general interest for public security.

By now, most companies should know whether they have to comply with this NIS regulation or not. It are the sectoral authorities that should inform them. Sectors that are vital for our economy and society, and that are highly dependent on ICT, such as financial institutions, energy, transport, drinking water, healthcare, and digital infrastructure all have to comply with this legislation.

The starting point of this NIS law is to guarantee a high level of cybersecurity for critical network and information systems in order to ensure the continuity and public security of critical social and economic services.

Companies from the relevant sectors will, therefore, have to take the appropriate cybersecurity measures and report serious incidents to the relevant national authority.

The Belgian legislative proposal for implementation has a bold side to it. It refers to ISO27001 or similar, to impose a minimum expectation. The companies that have to comply with this law, have to take the following measures:

• Taking technical and organizational security measures that can prevent incidents or limit their impact;
• Developing a security policy based on the ISO / IEC 27001 standard;
• Reporting cybersecurity incidents;
• Auditing the network and information systems. The frequency: an internal audit annually and an external audit every three years;
• Appoint a contact person or service.

• Essential service providers will have 12 months from the date of notification of their official appointment to prepare their information security policies accordingly;
• Providers of essential services will have 24 months after the date of notification of their official designation to implement the established measures concerning their information security policy in accordance;
• Digital service providers (all providers of online market places, online search engines, and cloud services with offices or representation in Belgium) must decide for themselves whether or not they must comply with the NIS.

The good news is that the Belgian bill requires an annual internal audit and a three-yearly external audit. This is a watered-down version of the ISO approach where an annual surveillance audit is imposed after certification. External parties can complete both the internal and the external audit.

In other words: as a provider, you do not immediately have to proceed to an official ISO certification, but in the end, you will have to meet all the requirements. Thus, as the step towards a full ISO certification is not that big anymore, I would suggest just to get certified!

The advantage of an ISO certification? This is an external, official and formal confirmation that information security is running according to the expected agreements.

In accordance with the GDPR, the NIS law provides for both administrative and criminal fines that can be imposed. Besides, the competent authorities will have far-reaching powers to monitor and monitor compliance with the NIS law.