I know from experience that entrepreneurs who have become acquainted with cyber criminals often felt powerless because they lost control of their business. They understand better than anyone how important cybersecurity is for the continuity of their business. The NIB2 directive, on which the EU member states and the European Parliament reached a political agreement last Wednesday, June 22, was therefore not primarily written for them. The NIB2 guideline was written for those who still assume that cyber criminals will pass by their door and is intended as a stick behind the door to ensure a high level of security in chains and sectors.
The revised Network and Information Security Directive. NIB2 guideline is the successor to the current NIB guideline, which mandates a high level of security for providers of essential services and digital parties and includes a reporting obligation for cyber incidents. The high level of security and the obligation to report cyber incidents will continue to be maintained.
What is changing?
Expansion of application range
The number of sectors that will fall under the NIB2 directive will be significantly expanded. There is a new classification of categories of companies, namely companies that offer essential services – hereinafter the essential companies – and important companies. The sectors that offer essential services will soon include healthcare and public administration, chemicals and the food and beverage industry. These sectors must prepare for the implementation of the NIB2 directive.
Reporting vulnerabilities and CVD procedures
There remains a duty to report cyber incidents within 24 hours. That is a reactive measure. However, the revised guideline also pays attention to preventive measures, such as setting up and implementing procedures for reporting vulnerabilities. Reporting vulnerabilities is also called Coordinated Vulnerability Disclosure (CVD). See the CVD policy of First Lawyers as an example.
Companies developing ICT systems must establish appropriate procedures to address vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported by third parties, the manufacturer or provider of ICT products or services must also implement the necessary procedures to receive vulnerability information from third parties. ISO standards (ISO/IEC 30111 and ISO/IEC 29417) provide guidance on vulnerability response and vulnerability disclosure. Contracts between companies and IT suppliers must be adjusted accordingly.
Supply chain role
Essential businesses should further assess and consider the products and cybersecurity practices of their suppliers and service providers for cybersecurity risks. That is also new. They must also exercise care when selecting providers of incident response, penetration testing, security audits and consultancy. After all, they also play an important role in detecting incidents and responding to them. There is a need to effectively organize the legal operations that focuses on partner risk management, contracting and contract management.
Other cybersecurity risk management measures
Not new, but an important task for essential and important companies is that they take appropriate and proportionate technical and organizational measures to manage security risks. The goal is to achieve a high level of security. According to the NIB2 guideline, these measures must at least include:
- Risk analysis and policy
- Incidents: prevention, detection and response
- Business continuity and crisis management
- Supply chain security
- Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure
- Testing and audits to assess effectiveness of measures
- Use of cryptography and encryption.
What is the forecast?
The guideline is expected to be published in the autumn of this year. The Member States will then have 21 months to transpose the directive into national law. The implementation law is expected to come into effect in mid-2024. That seems like a long time, but making preparations will take some time.
Be prepared with the legal operations.
Last time I wrote about the importance of legal operations for preventing cybercrime. Legal operations can also be used to anticipate the contracts that must be concluded in the supply chain in accordance with the NIB2 guideline and to set up and handle vulnerability reports. As chairman of the Contract Board, I can report that we will shortly incorporate the NIB2 guideline into at least the ICT and Purchasing contract portfolios. Essential and important companies must pay attention to the requirements of the NIB2 directive in their contracts with ICT suppliers, with which they must demonstrably comply. This applies from the purchasing and tendering phase. MYOBI users have access to these contract portfolios.
The Contract Board has recently established CVD contracts, CVD policy and associated scripts and included them in the contract portfolios. These have recently become available. If you are interested, we are happy to make these company-specific for you so that you can implement them in your organization. After all, having CVD policies, procedures and contracts in place is an important security measure that you can take now.
Need to know more?
Please contact mr. dr. A.W. (Anne-Wil) Duthler via 070 306 00 33 or a.w.duthler@firstlawyers.nl.