NIS2: We are an "important sector"
and thus have a duty to report!
NIS2 (Network and Information Security Directive) should ensure better cybersecurity within the EU of essential services and digital service providers. For now, it is a legislative proposal, but will be applicable by the end of 2024.
Remco Glashouwer
Author
Two sectors
It has 2 sectors, namely Essential sectors and Important sectors and also 2 degrees of duties, namely duty of care and duty of notification. In particular, companies in our industry will fall under 'Key sectors with a duty to report'. This is due to the fact that graphic media companies have a role in the communication of companies classified as Essential.
Organizations covered by the NIS2 directive.
Essential sectors
- Energy
- Transport
- Banking
- Infrastructure financial market
- healthcare
- Drinking water
- Digital infrastructure
- Managers of ICT services.
- Wastewater
- Government Services
- Space
Key sectors
- Manufacture/manufacturing
- Postal and courier services
- Digital providers
- Waste Management
- Food
- Chemical substances
- Research
Duty of care and duty of notification
Your customers from key sectors have a duty of care to provide maximum protection for their data, including in the chain. Your clients from essential sectors have a duty of notification above that, requiring these companies to report incidents to the regulator within 24 hours.
For example, for personalized printing and print work, graphic media companies have a lot of information (data) from customers in essential sectors. This puts part of the responsibility on you.
Take action now
There are a number of actions you can already initiate yourself, such as:
- Identify and analyze risks around network and information security.
- Preparation of business continuity plans and crisis management protocols.
- Identify alternative supply chains.
- Reserve internal capacity (time and money) needed to meet guidelines.
- Staff awareness of risks in processing information (research shows that humans are the weakest link. Unconscious and unintentional actions appear to be a greater risk than conscious and targeted cyber attacks).
Don't wait too long
It may take some time, but this legislation will apply to many companies. It is also expected that by 2025 there will be a shortage of consultants as well as certifiers. As a result, many companies will not be able to comply with the duty of care and notification in time. You understand our advice 😉 Don't wait too long with step 1: making a risk analysis. We are happy to help you with your digital resilience!