NIS2 in Belgium: good focal points, but communication could be better

NIS2 in Belgium: good focal points, but communication could be better

With the implementation of the NIS2 Directive, the European Union is taking an important step toward strengthening cybersecurity for all European companies.

Companies covered by the NIS2 legislation must comply with more stringent requirements for risk management, incident reporting and supply chain security. How does such legislation roll in to a company, why is Belgium one of the first countries to pass the directive into law and what is the role of the CCB (Center for Cybersecurity Belgium) in it?

We put our questions to Niels Hofmans, Head of Security and IT at Intigriti. Intigriti is a bug bounty platform that connects ethical hackers with companies, and he sees this new directive not only as an obligation, but also as an opportunity to strengthen transparency and trust.

Belgium in the lead

Belgium has shown with NIS2 that it has serious ambitions in cybersecurity. The CCB has been very important in the speed with which the guidelines have been turned into legislation. “Our country is one of the first countries to be fully compliant with the implementation of NIS2,” says Hofmans. “Kudos to the CCB. The communication and information channels they have set up have made Belgium one of the leaders of NIS2 worldwide.”

For Intigriti and other bug bounty companies, it is crucial to show customers that their data is in safe hands. “We have a heavy responsibility to our customers,” says Hofmans. “If there is any doubt at all about how we handle their most critical data, we are doing something wrong.”

read also

NIS2: deadline passed, but ambiguity remains

That makes NIS2 a valuable foundation for strengthening enterprise security. “It goes beyond ISO certifications. NIS2 provides a more in-depth framework that helps to better manage risk.”

It also requires companies to look more closely at their suppliers. “Supply chain requirements were non-existent at NIS1,” Hofmans explains. “That is now starting to become more and more of a growing risk. Why impose strict requirements on ourselves if we don’t impose them on our suppliers as well? After all, these are part of the business.”

From NIS1 to NIS2: what will change?

The transition from NIS1 to NIS2 brings major changes. Hofmans sees significant progress in the increased focus on accountability. “Accountability is being addressed much harder, which ensures that we’re going to see a noticeable difference in cybersecurity.”

The obligation to report incidents to the CERT is also becoming more important. If a company is the victim of a significant cyber attack, it must be reported to the Belgian CERT within 24. A more detailed report must follow within 72 hours. After a month, a final, full report must then follow with the description, causes and follow-up steps. “That report helps expose weaknesses and provides a good basis to build on. It keeps us on our toes.

“NIS2 provides us with a more in-depth framework that helps manage risk.”

Niels Hofmans

Another important aspect is the expansion of the cyberfundamentals framework that helps companies protect data and reduce the risk of the most common cyberattacks. “When a company knocks on our door, we can immediately refer to that cyberfundamentals 2.0,” Hofmans said.

What challenges lie ahead?

While the benefits of NIS2 are clear, companies still face challenges. “There are still plenty of companies that aren’t awake to the directive,” Hofmans warns. However, the consequences of non-compliance are significant. “Sanctions can lead to the dismissal of management staff, or fines of up to 10 million euros. That goes a long way.”

read also

Poll: will NIS2 have an impact on your business?

Hofmans also identifies some pain points: “Perhaps they could have put more effort into official NIS2 communications to companies instead of just posting on social media.”

He also talks about companies that were not previously engaged in NIS2. “We do start to see problems with companies that are just now starting NIS2 compliance. There are many companies that are now eligible for NIS2, but have never engaged in it or documented anything. That’s a sour apple to bite through.”

Clearly, the NIS2 legislation is having a positive impact on both cybersecurity platforms and other industries. There are still some challenges for companies that are just now becoming eligible, but they are not insurmountable. The CCB should continue to work proactively and keep the guidelines, like the framework, up-to-date.