richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/assets/ISO27DIY Logo in circle.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/assets/TSW_logo_globe_blue.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 56 KiB

9
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/info.json Normal file
View file

@ -0,0 +1,9 @@
{
"creatorIdentifier" : "net.ia.presenter",
"net.ia.presenter" : {
"localFileIdentifier" : "9757E1E9-D1A8-44B7-843A-8120E2560A25"
},
"transient" : false,
"type" : "net.daringfireball.markdown",
"version" : 2
}

343
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/text.md Normal file
View file

@ -0,0 +1,343 @@
#nis2
### NIS2 Explained
#### Raising the Baseline for Cybersecurity Across the Union
Richard Kranendonk, Thinking Security Works for FortMesa, June 2025
/assets/ISO27DIY Logo in circle.png
size: contain
y: bottom
---
## What is NIS 2?
NIS2 (Directive (EU) 2022/2555) is the EU's updated comprehensive cybersecurity law.
Aims to **significantly raise the baseline level of cybersecurity and resilience** across the European Union.
Focuses especially on **critical infrastructure and essential services**.
**Designed to protect the EUs economy and society** by making digital infrastructure more secure, resilient, and better prepared for evolving cyber threats.
---
# Goals
**Establish a unified, high standard of cybersecurity** for network and information systems in key sectors across all EU member states.
Strengthen cooperation and information sharing among member states for a **coordinated response to cross-border cyber threats**.
Promote consistency by **harmonizing security requirements, reporting obligations, and enforcement** across the EU.
Ensure organizations implement **robust risk management**, **incident response**, and **business continuity measures**.
---
# Compared with GDPR
GDPR: **protecting citizens against the misuse of personal data**. Caused an obsession with data confidentiality and Cookie Banners.
NIS 2: **resilience of critical infrastructure**, threat of disruption. Emphasis on risk management.
---
# Origins of NIS 2
The original Network and Information Security Directive (NIS1) was adopted in 2016. It was the **EUs first comprehensive cybersecurity law**.
Aimed to establish a high common level of cybersecurity across Member States.
Targeted critical sectors: energy, transport, healthcare, finance, water, and digital infrastructure.
Required essential service providers (OES) and digital service providers to take security measures and report incidents.
---
# But ...
**Scope was too narrow:** Only applied to seven key sectors identified by Member States.
**Inconsistent Implementation:** Member States had discretion in identifying OES.
**Unclear Definitions:** Contributed to fragmentation and gaps in protection. Some critical digital infrastructure and services were not covered.
Digital Service Providers were subject to lighter requirements, whereas **digitalization accelerated** and **cyber threats became more sophisticated**.
---
# So: NIS 2
NIS2 expands the scope, introduces stricter supervision/enforcement, harmonizes sanctions, and emphasizes supply chain security and top management responsibility.
Proposal for NIS2 in December 2020.
Formal adoption: November 2022.
**Entered into force: January 16, 2023**.
Member States required to transpose NIS2 into national law by **October 17, 2024**.
Current state: European Commission has **warned 19 Member States for missing the deadline** and may take legal action.
---
# NIS 1 vs NIS 2
| Aspect | NIS1 (2016) | NIS2 (2023) |
| :------------ | :------------------------------- | :------------------------------------------------ |
| **Scope** | Limited sectors, fewer entities | **Expanded sectors and more entities** |
| **Enforcement** | Inconsistent across Member States | **Stronger, harmonized supervision** |
| **Management** | Limited focus on top management | **Clear top management responsibility** |
| **Reporting** | Less stringent, varied obligations | **Stricter, harmonized reporting** |
| **Supply Chain**| Not specifically addressed | **Explicitly included** |
---
### Le loi relatif à la résilience des infrastructures critiques
*NIS 2 in France*
---
# Scope
---
# Organizations targeted by NIS2
Principle: Entities critical to the functioning of society and the economy
Covers a wide range of **public and private organizations** listed in Annex I (Essential) and II (Important).
Entities with over 50 employees or 10 million turnover (with exceptions for smaller but critical entities)
**Supply Chain Focus:** Entities essential to the supply chain of critical infrastructures are now included.
---
# Essential Entities
- Energy
- Transport
- Banking
- Financial market infrastructure
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- ICT B2B service management: MSP's & MSSP's
- Public administration
- Space (ground-based infrastructure)
# Important Entities
- Digital providers (marketplaces, search engines, social networking)
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing
- Research
---
# Geographical Location
Entities established in an EU/EEA Member State.
Non-EU organizations offering services within the EU, particularly in critical sectors must designate a representative in an EU Member State.
Indicators include using EU languages/currencies or targeting EU users.
---
# Requirements
---
# Risk-Management
Appropriate and proportionate measures.
Policies on **risk analysis** and information system
Policies/procedures to assess effectiveness of measures.
Incident handling.
Business continuity (backup, disaster recovery, crisis management).
Supply chain security.
Basic cyber hygiene practices (zero-trust, updates, configuration, segmentation, identity/access management, user awareness).
Use of cryptography and, where appropriate, encryption (including end-to-end).
Human resources security, access control policies.
Multi-factor authentication or continuous authentication.
---
# Supply Chain Requirements
**Risk Assessment** of vendors, evaluating cybersecurity posture, incident history, and service criticality.
**Supply Chain Security Policies** including clear security requirements, access controls, encryption, and MFA throughout the supply chain.
**Contractual Obligations** w/r/t cybersecurity clauses in contracts (compliance, incident reporting, audit rights, termination).
**Continuous Monitoring:** Regularly monitor/audit third-party security practices and ensure ongoing compliance.
---
# Role of Management
Cybersecurity is a core element of corporate governance**.
Management bodies must approve cybersecurity risk-management measures and oversee implementation.
**Can be held liable for infringements**.
Management is **required to follow training** to gain sufficient knowledge and skills.
Entities are encouraged to offer similar training to employees.
---
---
**Slide 27: Supervision and Enforcement**
* Member States must ensure competent authorities effectively supervise and take necessary measures for compliance.
* Supervisory tasks can be prioritized based on a risk-based approach.
* Essential entities are subject to comprehensive ex ante and ex post supervision.
* Important entities are subject to lighter, ex post only supervision, typically triggered by evidence of non-compliance.
* Essential entities are subject to a **comprehensive ex ante and ex post supervisory regime**.
* authorities have a general obligation to supervise these entities. Supervisory tasks can include regular on-site inspections, off-site supervision, random checks, regular and targeted security audits, and security scans
*
* Important entities are subject to a **light, ex post only, supervisory regime**, typically triggered by evidence of non-compliance.
* supervision is specifically triggered by "evidence, indication or information" suggesting they may not comply with the directive
---
**Slide 28: Enforcement Powers**
* Competent authorities for **Essential Entities** have powers including:
* Issuing warnings.
* Adopting binding instructions (e.g., measures to prevent/remedy incidents, time-limits).
* Ordering entities to remedy deficiencies or infringements.
* Competent authorities for **Important Entities** have powers including:
* Issuing warnings.
* Adopting binding instructions or orders to remedy deficiencies/infringements.
---
**Slide 29: Penalties for Non-Compliance**
* **Fines:** Up to €10 million or 2% of global annual revenue, whichever is higher.
* **Management Liability:** Executives face personal liability for non-compliance. This could include potential bans from managerial roles.
* **Market Access Risks:** Non-compliance may disrupt partnerships with EU businesses or lead to exclusion from EU markets.
* Member States may lay down rules on imposing administrative fines on public administration entities.
---
**Slide 30: Expectations for Enforcement (as of May 2025)**
* Enforcement across the EU is currently marked by significant delays and fragmentation.
* Many Member States missed the October 2024 transposition deadline.
* Formal warnings issued by the European Commission to 19 Member States.
* Legal action by the Commission may follow if compliance is not achieved.
* Actual enforcement will depend on national transposition and the approach taken by each Member State's competent authorities.
---
---
---
---
**Slide 22: Incident Reporting (Significant Incidents)**
* NIS2 lays down a **multiple-stage approach** to reporting significant incidents.
* Strikes a balance between swift reporting (mitigate spread, seek assistance) and in-depth reporting (lessons learned).
* Report incidents that, based on initial assessment, could cause severe operational disruption/financial loss or affect others with considerable material/non-material damage.
* Initial assessment considers affected systems, threat severity/characteristics, vulnerabilities, and entity experience.
* Member States must provide technical means for simplified reporting (single entry points, online forms, etc.).
* This should ideally be a single entry point for various notification obligations (like GDPR, ePrivacy) to decrease administrative burden.
---
**Slide 23: Voluntary Information Sharing**
* Member States must ensure entities (in-scope and others) can **voluntarily exchange relevant cybersecurity information**.
* Information includes cyber threats, near misses, vulnerabilities, techniques, indicators of compromise, threat actors, alerts, and configuration recommendations.
* Exchange should occur within communities of entities and their suppliers/providers.
* Information-sharing arrangements should respect the sensitive nature of the information.
* Member States should facilitate the establishment of such arrangements.
* Entities must notify competent authorities of participation/withdrawal from these arrangements.
* ENISA provides assistance by exchanging best practices and guidance.
---
**Slide 24: Voluntary Notifications**
* In addition to mandatory reporting, entities can **voluntarily notify** CSIRTs or competent authorities.
* This applies to essential/important entities (incidents, cyber threats, near misses) and other entities (significant incidents, cyber threats, near misses).
* Voluntary reporting is processed but may be prioritized below mandatory notifications.
* Voluntary reporting should **not result in additional obligations** for the notifying entity.
---
**Slide 25: NIS2 Certification Status**
* The European Commission is working on a certification framework, but it is **still under development and not currently in force**.
* The NIS2 Directive itself does not mandate certification for companies, but allows for future requirements.
* Any companies currently offering "NIS-2 certification" or training do so based on their own interpretations or existing standards (like ISO 27001).
* These commercial offerings **do not have official legal status** and are **not legally recognized** EU-level certifications.
---
**Slide 26: NIS2 Measures and International Standards**
* Member States are encouraged to use **European and international standards** and technical specifications relevant to network and information system security.
* Measures for NIS2 conformity in places like Flemish Belgium are based on internationally recognized standards like **NIST processes and ISO 27001/27002**.
* ISO 27001/27002 and the NIST framework are recognized as best practices for NIS2 compliance.
* Specific NIS2 requirements, such as those related to risk management and physical/environmental security, align with standards like the ISO/IEC 27000 series.
* International standards ISO/IEC 30111 and ISO/IEC 29147 provide guidance on vulnerability handling and disclosure.
* ENISA, in cooperation with Member States, provides advice/guidelines on relevant standards.
**Slide 31: Cooperation Mechanisms**
* **Cooperation Group:** Supports strategic cooperation and information exchange among Member States. Tasks based on biennial work programmes. Can conduct coordinated security risk assessments of critical supply chains. Discusses peer review reports.
* **CSIRTs Network:** Promotes swift and effective operational cooperation among national CSIRTs. Tasks include incident handling assistance, coordinating vulnerability disclosure, and identifying further forms of operational cooperation. Cooperates with regional/Union-level SOCs.
* **EU-CyCLONe:** Supports coordinated management of large-scale cybersecurity incidents and crises at operational level. Composed of representatives from Member States' cyber crisis management authorities and the Commission (in specific cases).
---
**Slide 32: Vulnerability Handling**
* Identifying and remedying vulnerabilities is crucial.
* Entities that develop or administer systems should establish procedures to handle vulnerabilities.
* Manufacturers/providers should have procedures to receive vulnerability information from third parties.
* **Coordinated vulnerability disclosure** (CVD) is a structured process for reporting vulnerabilities to allow remediation before public disclosure. International standards ISO/IEC 30111 and ISO/IEC 29147 provide guidance.
* Each Member State must designate a CSIRT as a coordinator for CVD.
* This coordinator acts as a trusted intermediary between the reporter and the manufacturer/provider.
* Reporters can report vulnerabilities anonymously.
* **European vulnerability database:** ENISA will develop and maintain a database for voluntary disclosure of publicly known vulnerabilities in ICT products/services. Provides information on the vulnerability, affected products/services, severity, and available patches/mitigation guidance.
---
**Slide 33: DNS Security and Registration Data**
* Maintaining accurate/complete domain name registration data (WHOIS) is essential for DNS security/stability.
* TLD name registries and domain name registration service entities must collect and maintain this data diligently, in accordance with data protection law for personal data.
* Data must include information to identify and contact holders and administrative points of contact (name, email, phone).
* Policies/procedures, including verification, must be in place to ensure accuracy.
* Publicly available data should include non-personal data, such as the registrant name and phone number for legal persons. A non-personal email can also be published.
* Lawful access to personal data must be enabled for legitimate access seekers in line with data protection law. Access requests should be responded to without undue delay.
* All types of access to registration data should be free of charge.
* ENISA will create and maintain a registry of specific cross-border providers, including TLD name registries and domain name registration services, based on Member State information.
---
**Slide 34: Need for Ongoing Review**
* The European Commission will periodically review NIS2, consulting stakeholders.
* Reviews, starting by October 17, 2027, will assess the relevance of entity size, sectors, and types in relation to cybersecurity.
* Will take into account reports from the Cooperation Group and CSIRTs network.
* Legislative proposals may accompany reports where necessary.
---
**Slide 35: Key Takeaways**
* NIS2 is a significant evolution from NIS1, addressing its shortcomings by expanding scope and harmonizing requirements.
* Targets a broad range of critical entities, imposing comprehensive cybersecurity risk management and reporting obligations.
* Places clear accountability on top management.
* Emphasizes supply chain security and third-party risk management.
* Implementation is facing delays in many Member States as of May 2025.
* International standards like ISO 27001 and NIST are relevant for compliance, though no official EU certification exists yet.
* Enforcement includes significant fines and potential management liability.
---
**Slide 36: Q&A / Discussion**
* [Placeholder for Questions and Discussion]
---
**Slide 37: Research and Footnotes**
* [Include a list of sources/footnotes if desired for reference, e.g., citing the origin of the excerpts]
---

BIN
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/thumb.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

454
Corpus/Standards/NIS 2/FortMesa NIS2 Explained.md Normal file
View file

@ -0,0 +1,454 @@
#nis2
# NIS 2 Explained
for FortMesa webinar June 2025: "The State of EU Cyber Compliance: NIS2 Explained"
## Goal of NIS2
The ultimate goal behind NIS-2 is to significantly raise the baseline level of cybersecurity and resilience across the European Union, especially for critical infrastructure and essential services[^9_1][^9_5][^9_6]. NIS-2 aims to:
- Establish a unified, high standard of cybersecurity for network and information systems in key sectors across all EU member states[^9_1][^9_2][^9_6].
- Ensure organizations implement robust risk management, incident response, and business continuity measures to prevent, detect, and minimize the impact of cyber incidents[^9_5][^9_6].
- Promote consistency by harmonizing security requirements, reporting obligations, and enforcement across the EU, addressing previous fragmentation and gaps[^9_1][^9_4][^9_6].
- Strengthen cooperation and information sharing among member states for a coordinated response to cross-border cyber threats[^9_1][^9_5][^9_6].
In essence, NIS-2 is designed to protect the EUs economy and society by making its digital infrastructure more secure, resilient, and better prepared for evolving cyber threats[^9_1][^9_5][^9_6].
GDPR is about protecting citizens against the misuse of personal data, therefore, in terms of information security, more about confidentiality of data. Protecting privacy was the goal, information security management almost a side show.
NIS 2 is all about resilience of critical infrastructure, under threat of cybercrime (also by state actors), and has a broader focus in terms of information security: the complete information security package.
## History and Current Status
**Origins and NIS1 Directive (2016):**
- The original Network and Information Security Directive (NIS1), adopted in 2016 (Directive 2016/1148), was the EUs first comprehensive cybersecurity law, aiming to establish a high common level of cybersecurity across Member States[^15_3][^15_8][^15_10].
- NIS1 targeted critical sectors like energy, transport, healthcare, finance, water, and digital infrastructure, requiring essential service providers and digital service providers to take security measures and report incidents[^15_1][^15_8].
- Despite these advances, NIS1 faced challenges: its scope was too narrow, enforcement and implementation were inconsistent across Member States, and definitions were sometimes unclear, leading to fragmentation and gaps in protection[^15_3][^15_6][^15_10].
**Growing Need for Reform:**
- As digitalization accelerated and cyber threats became more frequent and sophisticated, it became clear by 2020 that the EU needed a stronger, more harmonized approach to cybersecurity[^15_3][^15_6][^15_8].
- The European Commission launched a review and consultation on NIS reform in July 2020, leading to a proposal for an updated directive—NIS2—in December 2020[^15_5][^15_9].
**Development and Adoption of NIS2:**
- The legislative process included negotiations between the European Parliament, Council, and Commission throughout 2021 and early 2022[^15_3][^15_9].
- A provisional agreement on NIS2 was reached in May 2022, with formal adoption by the Parliament and Council in November 2022[^15_3][^15_9].
- NIS2 was published in the Official Journal on December 27, 2022, and entered into force on January 16, 2023[^15_5][^15_8][^15_9].
**Transition and Implementation Timeline for NIS2:**
- Member States were given 21 months, until October 17, 2024, to transpose NIS2 into national law[^15_3][^15_5][^15_8].
- NIS2 expands the scope to more sectors, introduces stricter supervisory and enforcement measures, harmonizes sanctions, and places greater emphasis on supply chain security and top management responsibility[^15_1][^15_2][^15_6].
**Summary Table: NIS1 vs. NIS2**
| Aspect | NIS1 (2016) | NIS2 (2023) |
| :----------- | :--------------------------------- | :---------------------------------- |
| Scope | Limited sectors, fewer entities | Expanded sectors and more entities |
| Enforcement | Inconsistent across Member States | Stronger, harmonized supervision |
| Management | Limited focus on top management | Clear top management responsibility |
| Reporting | Less stringent, varied obligations | Stricter, harmonized reporting |
| Supply Chain | Not specifically addressed | Explicitly included |
NIS2 aims to address all the shortcomings of its predecessor by broadening coverage, clarifying obligations, and enforcing higher cybersecurity standards EU-wide[^15_1][^15_3][^15_6].
#### Why Was the NIS 1 Scope Considered Too Narrow?
- **Limited Sectors:** NIS 1 only applied to seven key sectors considered vital to the economy and society, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare, and digital infrastructure[^16_1][^16_2][^16_5].
- **Member State Discretion:** Each EU Member State had the responsibility to identify which organizations qualified as operators of essential services (OES), resulting in inconsistent application and gaps in coverage across the EU[^16_1][^16_6].
- **Exclusions:** Some critical digital infrastructures and services, such as certain telecommunications and public administration entities, were not covered[^16_4][^16_7].
- **Light Regulation for Digital Service Providers:** Digital service providers (like cloud services and online marketplaces) were subject to lighter, less comprehensive requirements[^16_1][^16_4].
#### How Has the Scope Broadened in NIS 2?
- **More Sectors Covered:** NIS 2 expands the scope to include additional sectors and sub-sectors crucial to the economy and society, such as waste management, postal and courier services, food production, manufacturing of critical products, and more digital services[^16_1][^16_2][^16_5][^16_6].
- **Size-Cap Rule:** All medium-sized and large entities in the covered sectors are automatically in scope, removing the need for Member States to individually designate operators[^16_1][^16_6].
- **Public Administration:** NIS 2 now applies to central government public administration entities, and Member States can extend this to regional and local levels[^16_1].
- **Supply Chain Focus:** Entities essential to the supply chain of critical infrastructures are now included[^16_2].
- **Unified Requirements:** The distinction between “essential service operators” and “digital service providers” is eliminated; all covered entities face similar obligations[^16_5][^16_6].
**In summary:** NIS 1 was considered too narrow because it left critical gaps due to sector limitations, inconsistent national implementation, and exclusions. NIS 2 addresses these gaps by broadening the scope to more sectors, applying clear criteria (like the size-cap), and harmonizing requirements across the EU[^16_1][^16_2][^16_5][^16_6].
### Current state as of May 2025
The NIS-2 directive should have been transposed into national legislation by October 17, 2024.
The Netherlands did not meet this deadline[^1_2][^1_4][^1_5][^1_6]. The national law implementing NIS-2, the Cybersecurity Act (Cbw), is now not expected to enter into force until the second or third quarter of 2025[^1_2][^1_4][^1_5][^1_7]. Until then, the current Network and Information Systems Security Act (Wbni) still applies to the organizations concerned[^1_4][^1_5]. Organizations that will fall under the new law do not yet have any legal obligations from NIS-2, but they can voluntarily prepare and register[^1_3][^1_4].
The implementation of the NIS-2 directive is also delayed in other countries, including France and Germany.
**France**
France has not yet fully transposed the NIS-2 directive into national legislation. The bill (“Loi relatif à la résilience des infrastructures critiques”) was submitted to the Senate in October 2024. The law is expected to be adopted in the course of the second half of 2025. France is taking a broad approach to implementation and is adding extra sectors and local authorities to the scope. The national cybersecurity authority ANSSI will play a central role in supervision and enforcement[^2_3][^2_5].
**Germany**
In Germany, the bill for NIS-2 was approved in July 2024, but its parliamentary processing was delayed. Enforcement was expected to start from March 2025. Germany, unlike France, has not brought local authorities under the NIS-2 legislation[^2_3].
In short: both France and Germany have not yet fully transposed the NIS-2 directive and, as of May 2025, are still in the legislative process, each with its own emphasis and delays[^2_2][^2_3][^2_5].
## What kind of organizations are targeted by NIS-2?
NIS-2 targets a wide range of organizations that are critical to the functioning of society and the economy. Specifically, it applies to:
- **Medium-sized and large organizations** (generally with at least 50 employees or €10 million annual turnover) operating in sectors deemed essential or important[^12_2][^12_4][^12_8].
- **Essential sectors** include energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT services management, wastewater, public administration, and space activities[^12_2][^12_8].
- **Important sectors** include digital providers, postal and courier services, waste management, chemicals, food production and distribution, research, and various types of manufacturing[^12_3][^12_8].
- The directive also allows Member States to include smaller organizations if they are considered high-risk or critical for society[^12_5].
In summary, NIS-2 covers both public and private organizations in a broad set of vital and important sectors, focusing on those whose disruption would significantly impact society or the economy[^12_3][^12_7][^12_8].
#### Sectors in Scope under NIS2
NIS2 divides in-scope organizations into two main categories: **Sectors of High Criticality (Essential Sectors)** and **Other Critical Sectors (Important Sectors)**.
**Sectors of High Criticality (Essential Sectors):**
- Energy (including electricity, oil, gas, heating/cooling, hydrogen, EV charging)
- Transport (air, rail, road, water, shipping, ports)
- Banking
- Financial market infrastructure
- Healthcare (providers, labs, pharmaceuticals, medical device manufacturing)
- Drinking water
- Wastewater
- Digital infrastructure (DNS, domain name registries, trust services, data centers, cloud, electronic communications, managed IT/security services)
- ICT service management (business-to-business)
- Public administration (central, regional, and optionally local)
- Space (ground-based infrastructure)[^17_1][^17_2][^17_4][^17_7]
**Other Critical Sectors (Important Sectors):**
- Digital providers (online marketplaces, search engines, social platforms)
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing (medical devices, computers, electronics, optics, machinery, vehicles, other transport equipment)
- Research organizations[^17_1][^17_2][^17_3][^17_4][^17_6][^17_7]
Medium-sized and large organizations in these sectors are required to comply with NIS2 cybersecurity requirements.
#### Geographical Location
- **Jurisdiction:** NIS2 applies to essential and important entities established in an EU/EEA Member State, and they fall under the jurisdiction of the country where they are established or, in some cases, where they provide their services[^18_4][^18_5][^18_6].
- **Multiple Member States:** If an organization provides services in more than one Member State, it must comply with NIS2 requirements in each relevant country[^18_6].
- **Entities Outside the EU:** Non-EU organizations offering services within the EU must designate a representative established in an EU Member State where their services are offered[^18_5].
- **Sector-Specific Rules:** For certain sectors (e.g., digital infrastructure, cloud, DNS, electronic communications), jurisdiction may depend on the location of the main establishment or where services are provided[^18_5].
In summary, an organizations geographical location determines which Member States authorities oversee its compliance, and cross-border or non-EU service providers must ensure they meet NIS2 obligations within the EU market.
#### Can an entity outside the EU offering services within the EU be held accountable?
Yes, non-EU entities offering services within the EU can be held accountable under the NIS2 Directive. The regulation applies extraterritorially, meaning it extends to organizations outside the EU if they provide **essential or important services** to EU markets. Heres how geographical location factors into accountability:
**Marketplace Principle**:
- NIS2 applies if services are “offered within the EU,” even if the entity lacks a physical presence there. Factors include:
- Using EU languages or currencies (e.g., offering services in German or accepting euros).
- Targeting EU users in marketing materials or service descriptions [^19_7].
**Sector Relevance**:
- Non-EU entities in sectors like digital infrastructure, healthcare, transport, or energy are particularly impacted if their services are critical to EU operations [^19_6].
In summary, NIS2s extraterritorial scope ensures that non-EU entities serving EU markets must adhere to its cybersecurity standards, with significant legal and financial consequences for non-compliance.
#### **Requirements for Non-EU Entities**
1. **Designate an EU Representative**: Non-EU organizations must appoint a representative in an EU Member State where their services are offered [^19_1][^19_6].
2. **Supply Chain Compliance**: Third-party suppliers (including non-EU partners) must meet NIS2 security standards if they provide critical inputs to EU entities [^19_1][^19_6].
3. **Incident Reporting**: Significant cybersecurity incidents affecting EU services must be reported to national authorities within strict deadlines (e.g., 24-hour “early warning”) [^19_2][^19_6].
## What is expected of these organizations?
### Expectations for Different NIS-2 Stakeholders
**EU Member States**
- Develop and maintain a national cybersecurity strategy with clear objectives and resources[^10_1][^10_3].
- Designate national authorities, Computer Security Incident Response Teams (CSIRTs), and a single point of contact for cross-border and cross-sector cooperation[^10_3].
**National Authorities \& CSIRTs**
- Oversee and enforce compliance among organizations.
- Conduct regular audits, inspections, and request information as part of supervision[^10_3].
- Facilitate incident response and information sharing at national and EU level[^10_3].
**Essential and Important Entities (Organizations)**
- Implement risk management: identify, assess, and mitigate cybersecurity risks across their operations and supply chains[^10_5][^10_7].
- Establish and maintain robust security policies, technical and organizational measures, and incident response plans[^10_7].
- Report significant security incidents to authorities within strict timelines[^10_2][^10_7].
- Ensure business continuity and crisis management capabilities[^10_7].
- Senior management is directly responsible and can be held liable for compliance, including ensuring adequate resources, policies, and monitoring[^10_4][^10_6].
**Supply Chain Partners**
- Organizations must assess and manage cybersecurity risks in their supply chains, considering the security practices of suppliers and service providers[^10_5].
**Critical Entities (under CER Directive)**
- Entities identified as critical must comply with both NIS-2 cybersecurity and physical resilience obligations, with authorities cooperating on both aspects[^10_3].
**Summary Table**
| Stakeholder | Key Responsibilities under NIS-2 |
| :----------------------- | :-------------------------------------------------------------------------------- |
| Member States | National strategy, designate authorities/CSIRTs, ensure cross-border cooperation |
| National Authorities | Supervision, enforcement, audits, incident coordination |
| Essential/Important Orgs | Risk management, security measures, incident reporting, management accountability |
| Supply Chain Partners | Support supply chain risk management and security |
| Critical Entities | Comply with both cyber and physical resilience requirements |
The directive thus requires coordinated action at national, sectoral, and organizational levels to achieve a high and consistent level of cybersecurity across the EU.
### What is expected/required of the board and management?
For organizations in scope of NIS-2, the board and management have explicit and far-reaching responsibilities:
- **Active Oversight and Approval**: The board must oversee, approve, and regularly review the organizations cybersecurity risk management measures and policies[^13_1][^13_4][^13_8].
- **Training and Awareness**: Board members and executives are required to follow cybersecurity training to ensure they understand risks and can make informed decisions. They must also ensure regular training for employees[^13_1][^13_4][^13_5][^13_8].
- **Accountability and Liability**: Management is directly accountable for compliance. Serious failures can result in personal liability, administrative fines, and even temporary bans from management roles[^13_1][^13_4][^13_5][^13_7][^13_8].
- **Risk Management**: The board must ensure comprehensive risk assessments, mitigation strategies, and continuous improvement of cybersecurity controls, including supply chain security and incident response[^13_1][^13_3][^13_7][^13_8].
- **Incident Reporting**: Management must ensure processes are in place for prompt reporting of significant incidents, typically within 24 hours for initial notification[^13_1][^13_3][^13_7].
- **Business Continuity**: The board is responsible for ensuring robust business continuity and crisis management plans, including system recovery and emergency procedures[^13_1][^13_7][^13_8].
In summary, NIS-2 makes cybersecurity a core element of corporate governance, requiring boards and management to be knowledgeable, proactive, and fully accountable for digital risk management and compliance.
### What is required of the organization with regard to vendor management?
Organizations in scope of NIS-2 are required to take extensive measures for vendor (third-party) management:
- **Risk Assessment:** Conduct thorough and ongoing risk assessments of all vendors and suppliers, evaluating their cybersecurity posture, incident history, and the criticality of their services[^14_1][^14_2][^14_3][^14_5].
- **Supply Chain Security Policies:** Develop and enforce comprehensive policies for third-party risk management, including clear security requirements, access controls, encryption, and multi-factor authentication throughout the supply chain[^14_2][^14_3][^14_7].
- **Contractual Obligations:** Include enforceable cybersecurity clauses in contracts with vendors—covering compliance, incident reporting, audit rights, and termination for non-compliance[^14_3][^14_4].
- **Continuous Monitoring:** Regularly monitor and audit third-party security practices, update risk assessments, and ensure ongoing compliance with NIS-2 standards[^14_1][^14_2][^14_3].
- **Incident Reporting:** Ensure vendors promptly report cybersecurity incidents and coordinate on incident response and resolution[^14_1][^14_3].
- **Documentation:** Maintain detailed records of vendor assessments, contracts, and compliance audits for regulatory review[^14_1][^14_3].
In summary, NIS-2 requires organizations to proactively manage, monitor, and document third-party risks, making supply chain security an integral part of their cybersecurity strategy.
### Local differences
The main differences in emphasis between France and Germany in the implementation of the NIS-2 directive are:
- In France, local authorities explicitly fall under the NIS-2 legislation, whereas this is not the case in Germany[^3_1][^3_3].
- Some countries, including France, are adding extra sectors that fall under the law; Germany is limiting itself more to the strictly necessary sectors[^3_1].
- Germany emphasizes comprehensive risk management, reporting obligations, and registration requirements for "particularly important facilities" and federal administrative bodies[^3_4].
- In Germany, micro-enterprises are largely excluded, while in France, the scope is actually being expanded by including local authorities and additional sectors[^3_1][^3_4].
These differences create a fragmented regulatory landscape within the EU, making it more complex for international organizations to comply with all rules[^3_1].
#### Similarities in Measures
- In both France and Germany, companies under NIS-2 must take appropriate technical and organizational measures to manage cyber risks and prevent incidents[^4_1][^4_5][^4_6].
- Both countries mandate risk management, regular evaluation of security measures, and a reporting obligation for serious security incidents[^4_5][^4_6].
- Supplier and supply chain management is an important component in both countries: companies must also pay attention to the security of their direct suppliers and service providers[^4_6].
- The basic principles are risk-based: the greater the risk, the more stringent the measures must be[^4_6].
#### Differences
- **Scope**: France explicitly includes local authorities and additional sectors in the law, while Germany primarily focuses on critical infrastructures and federal agencies[^4_5].
- **Registration**: In Germany, there is a registration obligation with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) for “particularly important” organizations[^4_5]. In France, the national cybersecurity authority ANSSI has more control.
- **Exemptions**: Micro-enterprises are largely exempt in Germany; France applies a broader scope[^4_5].
- **Enforcement**: Germany is known for strict compliance and enforcement through contractual obligations; in France, the approach is more centrally regulated[^4_6].
In short: the core measures are similar, but the scope, exemptions, and enforcement differ per country, leading to different obligations for companies depending on their country of establishment[^4_5][^4_6].
## International standards and certification
#### Some companies offer NIS-2 certification, or claim to offer NIS-2 certified training. Is there a legal basis for this?
Currently, there is no legal basis for an official “NIS-2 certification” or “NIS-2 certified training.” The NIS-2 Directive and national legislation do require organizations to take appropriate security measures, but there is no government-recognized NIS-2 certificate or official quality mark[^7_6][^7_8].
The European Commission is working on a certification framework, but this is still under development and not currently in force[^7_6]. Companies currently offering NIS-2 certification or training do so based on their own interpretations or existing standards (such as ISO 27001), but these do not have official legal status.
In short: claims about “NIS-2 certification” are currently commercial and not legally recognized.
#### What is already known about that EC certification framework?
Little concrete information is yet known about the official European certification framework for NIS-2. The European Commission is working with ENISA (the EU Agency for Cybersecurity) on the development of such a framework, but this has not yet been finalized and is therefore not yet in force[^8_3].
The NIS-2 Directive itself does not prescribe mandatory certification for companies, but it does give the Commission the possibility to establish technical and methodological requirements for certain sectors and services in the future[^8_5]. This process is still under development.
In summary: there is not yet an official, EU-recognized NIS-2 certification framework; companies therefore cannot yet be certified according to a standard established by the EU. Any commercial “NIS-2 certificates” are currently not legally recognized.
#### NIS-2 Measures and International Standards
In Flemish Belgium, the measures that companies must take for NIS-2 conformity are based on internationally recognized standards such as the NIST processes and ISO 27001/27002[^5_2][^5_6]. Organizations must take risk management measures and align their cybersecurity with generally accepted security principles. For supervision, explicit reference is made to the CyberFundamentals framework (CyFun®) of the CCB (Centre for Cybersecurity Belgium) or an ISO 27001 certification as a control instrument[^5_2][^5_6]. This aligns with the approach of NIST and ISO, where risk management, incident response, continuity planning, and periodic audits are central[^5_6].
#### Do France and Germany also base their NIS-2 measures on international standards? Which ones?
Yes, both France and Germany base their measures for NIS-2 on international standards, particularly ISO 27001/27002. These standards are seen as a good benchmark for meeting NIS-2 requirements[^6_2][^6_6]. In both countries, companies are expected to align their risk management, security measures, and incident response with these internationally recognized frameworks. In practice, alignment with the NIST Cybersecurity Framework is also often sought, although ISO 27001/27002 is most explicitly mentioned in the context of European legislation[^6_2][^6_6].
In short: ISO 27001/27002 are the most important international references, and the NIST framework is also recognized as a best practice for NIS-2 compliance.
## Enforcement and Penalties
- **Fines**: Up to €10 million or 2% of global annual revenue, whichever is higher [^19_1][^19_6].
- **Management Liability**: Executives face personal liability for non-compliance, including potential bans from managerial roles [^19_2][^19_6].
- **Market Access Risks**: Non-compliance may disrupt partnerships with EU businesses or lead to exclusion from EU markets [^19_1][^19_5].
### What are the general expectations, as of May 2025, about enforcement of the NIS-2?
As of May 2025, enforcement of the NIS-2 Directive across the EU is marked by significant delays and fragmentation. Although the directive required all Member States to adopt and enforce national laws by October 2024, many—including Germany, France, and the Netherlands—have not yet fully transposed NIS-2 into national legislation[^11_2][^11_5][^11_6]. The European Commission has formally warned 19 Member States for failing to meet the deadline and may escalate to legal action if compliance is not achieved soon[^11_2].
In practice, this means that while the NIS-2 provisions are technically in effect at the EU level, actual enforcement depends on national laws and the readiness of designated authorities[^11_5][^11_6]. In countries where national laws are not yet in force, there is a period of legal uncertainty and limited practical enforcement, though organizations are expected to prepare for compliance[^11_5][^11_6][^11_7]. Once national laws are enacted—expected in the second half of 2025 for many countries—enforcement will become much stricter, with clear duties of care, incident reporting, and potential sanctions for non-compliance[^11_4][^11_5].
---
## Research and Footnotes
[Perplexity thread 1](https://www.perplexity.ai/search/fdc03878-e0c8-4528-bf04-b40a5aec593e)
[Perplexity thread 2](https://www.perplexity.ai/search/70b69cfe-ca35-4469-8c55-86fd1fc1d24c)
[^1_1]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^1_2]: https://www.security.nl/posting/862964/Re:+Nederland+voert+NIS2-richtlijn+naar+verwachting+derde+kwartaal+2025+in
[^1_3]: https://www.zlogin.nl/update/nis2-richtlijn-rol-eherkenning/
[^1_4]: https://www.rijksoverheid.nl/actueel/nieuws/2024/10/23/implementatie-nis2-en-cer-in-nederland-vertraagd-wat-betekent-dat-voor-u
[^1_5]: https://penrose.law/informatiebeveiliging_op_orde_nis2_cyberbeveiligingswet/
[^1_6]: https://www.fox-it.com/nl/nis2-een-nieuwe-europese-richtlijn-voor-netwerk-en-informatiebeveiliging/
[^1_7]: https://tweakers.net/nieuws/222522/nederlandse-nis2-wet-treedt-pas-in-tweede-of-derde-kwartaal-2025-in-werking.html
[^1_8]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-netherlands
[^1_9]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/planning-van-de-nis2-richtlijn
[^1_10]: https://www.thetrustedthirdparty.nl/blogs/wetgeving/van-nis2-naar-bio-wat-verandert-er-voor-de-overheid/
[^2_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-france
[^2_2]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^2_3]: https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/
[^2_4]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^2_5]: https://www.openkritis.de/eu/eu-nis-2-france.html
[^2_6]: https://www.careerguide.nl/artikel/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn
[^2_7]: https://tweakers.net/nieuws/227724/belgie-en-kroatie-halen-als-enige-de-nis2-deadline-nederland-loopt-achter.html
[^2_8]: https://www.aon.com/nis2-nl
[^3_1]: https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/
[^3_2]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^3_3]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^3_4]: https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/
[^3_5]: https://www.careerguide.nl/artikel/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn
[^3_6]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^3_7]: https://www.declercq.com/app/uploads/2024/02/NIS2-Praktische-handleiding-NL-De-Clercq-Advocaten-Notariaat-gecomprimeerd.pdf
[^3_8]: https://www.capgemini.com/nl-nl/expertise/research/omgaan-met-nis2/
[^4_1]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^4_2]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^4_3]: https://www.internetconsultatie.nl/cyberbeveiligingswet/document/12562
[^4_4]: https://www.cgi.com/nl/nl/blog/cybersecurity/nis2-het-gras-altijd-groener-bij-de-buren
[^4_5]: https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/
[^4_6]: https://samendigitaalveilig.nl/nieuws/bedrijven-lopen-risico-om-buitenlandse-klanten-kwijt-te-raken-door-nis2-regelgeving/
[^4_7]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^4_8]: https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2022/oktober/13/index/NCSC_NIS2_D1_Final.pdf
[^5_1]: https://www.vlaio.be/nl/nieuws/op-18-oktober-2024-gaat-de-europese-cybersecurity-nis2-richtlijn-van-kracht
[^5_2]: https://www.vlaanderen.be/digitaal-vlaanderen/onze-diensten-en-platformen/cyber-response-team-lokaal-bestuur/nieuwe-wetgeving-nis2-wat-lokale-besturen-moeten-weten
[^5_3]: http://atwork.safeonweb.be/nl/nis2
[^5_4]: https://brandcompliance.com/docs/cyberfundamentals/
[^5_5]: https://www.vlaio.be/nl/nieuws/nieuwe-europese-cybersecurity-nis2-richtlijn-wat-betekent-dit-voor-jouw-onderneming
[^5_6]: https://www.dmvh.eu/blog/nis2-in-vlaanderen-implementatie-impact-gevolgen-voor-bedrijven
[^5_7]: https://v-ict-or.be/nieuws/2025/05/15/cww-vlaamse-lokale-besturen-maken-zich-klaar-voor-nis2
[^5_8]: http://ccb.belgium.be/nl/de-nis2-richtlijn-wat-betekent-dit-voor-mijn-organisatie
[^6_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-france
[^6_2]: https://www.declercq.com/app/uploads/2024/02/NIS2-Praktische-handleiding-NL-De-Clercq-Advocaten-Notariaat-gecomprimeerd.pdf
[^6_3]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^6_4]: https://www.sidn.nl/nieuws-en-blogs/nis2-en-domeinnamen-nog-veel-onzeker
[^6_5]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^6_6]: https://www.ninjaone.com/nl/blog/nis2-vs-iso-27001/
[^6_7]: https://www.internetconsultatie.nl/cyberbeveiligingswet/document/12562
[^6_8]: https://www.imfacademy.com/nl/cyber-it-security/certified-nis2-lead-implementer.php
[^7_1]: http://ccb.belgium.be/nl/de-nis2-richtlijn-wat-betekent-dit-voor-mijn-organisatie
[^7_2]: http://atwork.safeonweb.be/nl/nis2
[^7_3]: https://brandcompliance.com/docs/cyberfundamentals/
[^7_4]: https://www.vlaanderen.be/digitaal-vlaanderen/onze-diensten-en-platformen/cyber-response-team-lokaal-bestuur/wat-betekent-de-nis2-wet-voor-lokale-besturen
[^7_5]: http://ccb.belgium.be/nl/recent-news-tips-and-warning/publicatie-van-de-nis2-wet-het-belgisch-staatsblad
[^7_6]: https://itce.be/post/nis2-richtlijn-in-belgie-wat-is-het-en-voor-wie-52-topics
[^7_7]: https://www.ntx.be/blog/cybersecurity/hoe-begin-je-met-nis2-en-welke-stappen-kan-je-nu-al-nemen/
[^7_8]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^8_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-netherlands
[^8_2]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^8_3]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^8_4]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/samenvatting-nis2-richtlijn
[^8_5]: https://www.nis-2-directive.com
[^8_6]: https://www.rijksoverheid.nl/actueel/nieuws/2024/10/23/implementatie-nis2-en-cer-in-nederland-vertraagd-wat-betekent-dat-voor-u
[^8_7]: https://eksa.nl/eksa-nis2-gecertificeerd-met-ingang-van-14-januari-2025/
[^8_8]: https://www.nba.nl/nieuws/2025/maart/cyberbeveiligingswet-nieuwe-verplichtingen-voor-bedrijven-onder-nis2-richtlijn/
[^9_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^9_2]: https://www.nis-2-directive.com
[^9_3]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^9_4]: https://nis2directive.eu/why-nis2/
[^9_5]: https://www.darktrace.com/cyber-ai-glossary/nis2-directive
[^9_6]: https://www.proofpoint.com/us/threat-reference/nis2-directive
[^9_7]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^9_8]: https://www.nis-2-directive.com/NIS_2_Directive_Article_7.html
[^10_1]: https://www.nis-2-directive.com/NIS_2_Directive_Article_7.html
[^10_2]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^10_3]: https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
[^10_4]: https://www.nis-2-directive.com
[^10_5]: https://www.ey.com/en_pl/insights/law/nis2-supply-chain-security
[^10_6]: https://www.ccnet.de/en/blog/the-crucial-role-of-management-in-the-implementation-of-the-nis2-directive/
[^10_7]: https://www.veeam.com/blog/nis2-directive-explained.html
[^10_8]: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/kpmg-network-and-information-security-directive-nis2.pdf
[^11_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^11_2]: https://digital-strategy.ec.europa.eu/en/policies/nis-transposition
[^11_3]: https://www.nis-2-directive.com
[^11_4]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^11_5]: https://blog.grand.io/nis-2-directive-compliance-in-the-age-of-dora/
[^11_6]: https://connectontech.bakermckenzie.com/eu-nis2-implementation-where-are-we-now/
[^11_7]: https://ezine.eversheds-sutherland.com/eu-nis2-directive/netherlands
[^11_8]: https://www.sorainen.com/publications/nis-2-directive-the-eu-s-update-to-the-cybersecurity-framework/
[^12_1]: https://www.nis-2-directive.com
[^12_2]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^12_3]: https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html
[^12_4]: https://www.infosecurity-magazine.com/blogs/nis2-everything-eu-orgs-need-to/
[^12_5]: https://www.nomios.nl/en/resources/what-is-nis2/
[^12_6]: https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/the-nis2-directive.html
[^12_7]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^12_8]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^13_1]: https://nis2directive.eu/nis2-requirements/
[^13_2]: https://futurerange.ie/blog/understanding-the-implications-of-the-nis2-directive-for-board-directors/
[^13_3]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^13_4]: https://blog.smartglobalgovernance.com/en/cybersecurity-governance-nis-2-makes-executives-accountable/
[^13_5]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_8_MGMT.pdf
[^13_6]: https://www.nis-2-directive.com/NIS_2_Directive_Board_of_Directors_Training.html
[^13_7]: https://www.guberna.be/en/know/guberna-what-does-nis2-mean-board-directors-and-executives
[^13_8]: https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/the-nis2-directive.html
[^13_9]: https://www.anove.ai/blog-posts/the-nis2---what-boards-must-do
[^13_10]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^14_1]: https://panorays.com/blog/nis2-compliance-for-third-party-risk-management/
[^14_2]: https://www.bitsight.com/blog/navigating-nis2-requirements-transforming-supply-chain-security
[^14_3]: https://mitratech.com/resource-hub/blog/nis2-and-third-party-risk-management/
[^14_4]: https://rhymetec.com/nis2-requirements/
[^14_5]: https://www.bitsight.com/blog/nis2-compliance-how-to-identify-critical-suppliers
[^14_6]: https://www.holmsecurity.com/nis2-supply-chain-requirements
[^14_7]: https://www.dataguard.com/nis2/requirements/
[^14_8]: https://www.ey.com/en_pl/insights/law/nis2-supply-chain-security
[^14_9]: https://nis2directive.eu/nis2-requirements/
[^14_10]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^15_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^15_2]: https://www.nis-2-directive.com
[^15_3]: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333
[^15_4]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/samenvatting-nis2-richtlijn
[^15_5]: https://nis2directive.eu/what-is-nis2/
[^15_6]: https://www.cyberday.ai/blog/nis2-overview-history-key-contents-and-significance-for-top-management
[^15_7]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^15_8]: https://sosafe-awareness.com/glossary/nis2/
[^15_9]: https://nis2directive.eu/nis2-release-date/
[^15_10]: https://dispel.com/blog/what-was-the-original-nis-directive-and-why-was-it-not-sufficient
[^16_1]: https://www.nis-2-directive.com
[^16_2]: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/kpmg-network-and-information-security-directive-nis2.pdf
[^16_3]: https://eucrim.eu/news/edps-provides-opinion-on-cybersecurity-directive/
[^16_4]: https://esmt.berlin/knowledge/research-insights/eu-directive-network-and-information-security-requirements-digital
[^16_5]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^16_6]: https://www.stibbe.com/publications-and-insights/the-revised-network-and-information-security-directive-enhancing-eu
[^16_7]: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A32016L1148
[^16_8]: https://dispel.com/blog/what-was-the-original-nis-directive-and-why-was-it-not-sufficient
[^17_1]: https://www.ekelmansadvocaten.com/en/nis2-richtlijn-tips-om-je-als-organisatie-voor-te-bereiden-op-deze-nieuwe-regelgeving/
[^17_2]: https://advisera.com/articles/who-does-nis2-apply-to/
[^17_3]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_3_SECTORS.pdf
[^17_4]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^17_5]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^17_6]: https://www.int-comp.org/insight/nis2-are-you-in-scope/
[^17_7]: https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html
[^17_8]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_2_ENTITIES.pdf
[^17_9]: https://autenti.com/en/blog/nis2-directive-what-is-it-who-does-it-apply-to-and-from-when
[^17_10]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^18_1]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^18_2]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^18_3]: https://ecs-org.eu/activities/nis2-directive-transposition-tracker/
[^18_4]: https://www.onespan.com/blog/NIS2-part1-what-is-new-in-NIS2-Directive
[^18_5]: https://www.twobirds.com/-/media/new-website-content/insights/pdfs/220607_nis2-directive_provisional-agreement_newsletter_final.pdf
[^18_6]: https://www.ceeyu.io/resources/blog/will-your-company-be-subject-to-nis2
[^18_7]: https://www.mayerbrown.com/en/insights/publications/2024/08/new-eu-cyber-rules-implementation-of-nis2-in-the-eu-member-states
[^18_8]: https://www.jdsupra.com/legalnews/navigating-the-eu-s-nis-2-directive-key-1620256/
[^19_1]: https://www.linkedin.com/pulse/beyond-borders-what-non-eu-companies-need-know-new-nis2-q0d5f
[^19_2]: https://nis2directive.eu/nis2-requirements/
[^19_3]: https://www.nis-2-directive.com
[^19_4]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^19_5]: https://www.dataguard.com/nis2/requirements/
[^19_6]: https://www.metricstream.com/blog/navigating-the-nis2-directive-compliance-success.html
[^19_7]: https://www.skadden.com/insights/publications/2024/10/navigating-the-new-cybersecurity-landscape
[^19_8]: https://www.zivver.com/blog/how-to-comply-with-nis2

68
Corpus/Standards/NIS 2/Inhoudsopgave wetsvoorstel Cbw.md Normal file
View file

@ -0,0 +1,68 @@
Hierbij de inhoudsopgave voor het document _Wetsvoorstel Cyberbeveiligingswet (Cbw)_, gebaseerd op de hoofdstukken en artikelen die in de bronnen zijn opgenomen:
**INHOUDSOPGAVE WETSVOORSTEL CYBERBEVEILIGINGSWET (CBW)**
Bij [](Wetsvoorstel%20Cyberbeveiligingswet%20Cbw.pdf)
| | | |
| ---------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Hoofdstuk | Titel | Artikelen |
| **HOOFDSTUK 1** | **BEGRIPSBEPALING** | Artikel 1 |
| **HOOFDSTUK 2** | **ALGEMEEN** | Artikel 2 (doel van deze wet) |
| | | Artikel 3 (uitvoering uitvoeringshandelingen, gedelegeerde handelingen en richtsnoeren) |
| **HOOFDSTUK 3** | **TOEPASSINGSBEREIK EN JURISDICTIE** | Artikel 4 (toepassingsbereik en jurisdictie) |
| | | Artikel 5 (overheidsinstanties die in hoofdzaak activiteiten uitvoeren op het gebied van nationale veiligheid, openbare veiligheid, defensie of rechtshandhaving) |
| | | Artikel 6 (root-naamservers) |
| | | Artikel 7 (uitzondering entiteiten Verordening (EU) 2022/2554) |
| **HOOFDSTUK 4** | **ESSENTIËLE ENTITEITEN EN BELANGRIJKE ENTITEITEN** | |
| § 4.1 | Essentiële entiteiten | Artikel 8 t/m 11 |
| § 4.2 | Belangrijke entiteiten | Artikel 12 t/m 13 |
| **HOOFDSTUK 5** | **AANWIJZING EN TAKEN VAN INSTANTIES** | Artikel 14 (aanwijzing en taken centraal contactpunt) |
| | | Artikel 15 (aanwijzing en taken bevoegde autoriteit) |
| | | Artikel 16 (aanwijzing, taken en eisen CSIRT) |
| | | Artikel 17 (aanwijzing en taken coördinator bekendmaking kwetsbaarheden) |
| | | Artikel 18 (aanwijzing en taken cybercrisisbeheerautoriteit) |
| **HOOFDSTUK 6** | **NATIONALE CYBERBEVEILIGINGSSTRATEGIE EN NATIONAAL PLAN VOOR GROOTSCHALIGE CYBERBEVEILIGINGSINCIDENTEN EN CRISISRESPONS** | Artikel 19 (nationale cyberbeveiligingsstrategie) |
| | | Artikel 20 (nationaal plan voor grootschalige cyberbeveiligingsincidenten en crisisrespons) |
| **HOOFDSTUK 7** | **ZORGPLICHT EN GOVERNANCE** | Artikel 21 (zorgplicht) |
| | | Artikel 22 (sectorspecifieke rechtshandelingen zorgplicht) |
| | | Artikel 23 (ontheffing zorgplicht) |
| | | Artikel 24 (governance) |
| **HOOFDSTUK 8** | **SIGNIFICANTE INCIDENTEN, INCIDENTEN, BIJNA-INCIDENTEN, SIGNIFICANTE CYBERDREIGINGEN, CYBERDREIGINGEN EN KWETSBAARHEDEN** | |
| § 8.1 | Meldplicht | Artikel 25 t/m 30 |
| § 8.3 | Sectorspecifieke rechtshandelingen en ontheffing | Artikel 31 t/m 32 |
| § 8.4 | Vrijwillige meldingen | Artikel 33 t/m 34 |
| § 8.5 | Nadere regels | Artikel 35 |
| § 8.6 | Taken en bevoegdheden van het CSIRT en de bevoegde autoriteit bij significante incidenten en significante cyberdreigingen | Artikel 36 t/m 38 |
| § 8.7 | Informatieverstrekking in verband met meldingen | Artikel 39 t/m 41 |
| **HOOFDSTUK 9** | **AANWIJZING VERTEGENWOORDIGER** | Artikel 42 (aanwijzing vertegenwoordiger) |
| **HOOFDSTUK 10** | **NATIONAAL REGISTER VAN ESSENTIËLE ENTITEITEN, BELANGRIJKE ENTITEITEN EN ENTITEITEN DIE DOMEINNAAMREGISTRATIEDIENSTEN VERLENEN** | Artikel 43 t/m 46 |
| **HOOFDSTUK 11** | **INFORMATIEVERSTREKKING TEN BEHOEVE VAN HET REGISTER VAN ENISA** | Artikel 47 t/m 48 |
| **HOOFDSTUK 12** | **DATABASE MET DOMEINNAAMREGISTRATIEGEGEVENS** | Artikel 49 t/m 50 |
| **HOOFDSTUK 13** | **SAMENWERKING EN INFORMATIE-UITWISSELING** | |
| § 13.1 | Samenwerking en informatie-uitwisseling met betrekking tot instanties | Artikel 51 |
| § 13.2 | Samenwerking en informatie-uitwisseling met betrekking tot CSIRTs | Artikel 52 t/m 54 |
| § 13.3 | Samenwerking en informatie-uitwisseling met betrekking tot de bevoegde autoriteit | Artikel 55 t/m 61 |
| § 13.4 | Informatie-uitwisseling tussen entiteiten | Artikel 62 |
| **HOOFDSTUK 14** | **VERWERKING VAN GEGEVENS** | Artikel 63 t/m 67 |
| **HOOFDSTUK 15** | **HANDHAVING** | |
| § 15.1 | Algemeen | Artikel 68 t/m 69 |
| § 15.2 | Handhaving ten aanzien van essentiële entiteiten | Artikel 70 t/m 80 |
| § 15.3 | Handhaving ten aanzien van belangrijke entiteiten | Artikel 81 t/m 87 |
| § 15.4 | Handhaving ten aanzien van entiteiten die domeinnaamregistratiediensten verlenen | Artikel 88 t/m 91 |
| § 15.5 | Handhaving ten aanzien van de verplichtingen, bedoeld in artikel 24, tweede tot en met zesde lid | Artikel 92 t/m 93 |
| **HOOFDSTUK 16** | **SLOTBEPALINGEN** | |
| § 16.1 | Evaluatie | Artikel 94 (evaluatiebepaling) |
| § 16.2 | Overgangsrecht | Artikel 95 t/m 96 |
| § 16.3 | Inwerkingtreding zorgplicht ten aanzien van instellingen voor hoger onderwijs | Artikel 97 t/m 98 |
| § 16.5 | Wijzigingen bestaande wetgeving | Artikel 99 t/m 103 |
| § 16.6 | Wijzigingen van de NIS2-richtlijn | Artikel 104 |
| § 16.7 | Inwerkingtreding onderdelen van de Wet bestuur en toezicht rechtspersonen | Artikel 105 |
| § 16.8 | Overig | Artikel 106 t/m 108 |
**Bijlagen**
De bijlagen bevatten de indeling van sectoren en subsectoren waarop de wet van toepassing is:
• **BIJLAGE 1**
• **BIJLAGE 2**

65
Corpus/Standards/NIS 2/NIS 2 Checklist artikel 21.md Normal file
View file

@ -0,0 +1,65 @@
Hieronder volgt een gedetailleerde checklist van de te nemen maatregelen en de randvoorwaarden uit Artikel 21, aangevuld met gerelateerde governance-eisen uit Artikel 24 en de NIS 2 context.
---
## Checklist Maatregelen Zorgplicht (Artikel 21 Cbw)
### A. Algemene Principes en Kaders (Art. 21, lid 1 & 2)
| Vereiste | Omschrijving |
| :---------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **1. Passende en Evenredige Maatregelen** | Neem passende en evenredige technische, operationele en organisatorische maatregelen om de risicos voor netwerk- en informatiesystemen te beheersen. |
| **2. Doelstelling** | De maatregelen moeten incidenten voorkomen of de gevolgen van incidenten voor afnemers van diensten en andere diensten beperken. |
| **3. Risicogebaseerd Beveiligingsniveau** | Zorg voor een beveiligingsniveau van de systemen dat **is afgestemd op de geïdentificeerde risicos**. |
| **4. Rekening Houden met Context** | Houd bij het nemen van maatregelen rekening met: de **stand van de techniek**, de **uitvoeringskosten**, en, indien van toepassing, de relevante **Europese en internationale normen**. |
| **5. Evenredigheidsbeoordeling** | Houd rekening met de mate waarin de entiteit aan risicos is blootgesteld, de omvang van de entiteit, de kans op incidenten en de ernst ervan (inclusief maatschappelijke en economische gevolgen). |
| **6. All-hazards Benadering** | Baseer de maatregelen op een **benadering die alle gevaren omvat**. |
| **7. Fysieke Beveiliging** | De maatregelen moeten de netwerk- en informatiesystemen én de **fysieke omgeving** van die systemen tegen incidenten beschermen. |
| **8. Continue Verbetering (PDCA)** | Richten robuuste risicomanagement processen in, met nadruk op het **cyclische karakter** (Plan-Do-Check-Act cyclus). |
---
### B. Minimaal Vereiste Maatregelen (Art. 21, lid 3, onder a t/m j)
De maatregelen, bedoeld in lid 1, omvatten ten minste het volgende:
|Maatregel|Omschrijving|Bronverwijzing|
|:--|:--|:--|
|**a. Risicoanalyse en Beveiligingsbeleid**|Beleid inzake **risicoanalyse** en **beveiliging van informatiesystemen**.|[86, a]|
|**b. Incidentenbehandeling**|Procedures en praktijken voor adequate **incidentenbehandeling**. (Dit omvat ook het opstellen van een incident respons plan (IRP) en procedures voor detectie, monitoring, en melden van incidenten).|[86, b]|
|**c. Bedrijfscontinuïteit**|Maatregelen voor **bedrijfscontinuïteit**, zoals **back-upbeheer**, **herstelplannen** en **crisisbeheer**.|[86, c]|
|**d. Beveiliging Toeleveringsketen**|De beveiliging van de **toeleveringsketen**, met inbegrip van beveiligingsgerelateerde aspecten met betrekking tot de relaties tussen de entiteit en haar **rechtstreekse leveranciers of dienstverleners**.|[87, d]|
|**e. Systeembeveiliging & Kwetsbaarheden**|Beveiliging bij het **verwerven, ontwikkelen en onderhouden** van netwerk- en informatiesystemen, met inbegrip van de **respons op en bekendmaking van kwetsbaarheden**.|[87, e]|
|**f. Effectiviteitsbeoordeling**|Beleid en procedures om de **effectiviteit van maatregelen** voor het beheersen van cyberbeveiligingsrisicos te beoordelen.|[87, f]|
|**g. Cyberhygiëne en Opleiding**|**Basispraktijken op het gebied van cyberhygiëne** en **opleiding** op het gebied van cyberbeveiliging.|[87, g]|
|**h. Cryptografie en Encryptie**|Beleid en procedures inzake het gebruik van **cryptografie** en, in voorkomend geval, **encryptie**.|[88, h]|
|**i. Personeel, Toegang en Assets**|Beveiligingsaspecten ten aanzien van **personeel**, **toegangsbeleid** en **beheer van assets**.|[88, i]|
|**j. Authenticatie en Communicatie (indien gepast)**|Wanneer gepast, het gebruik van **multifactor-authenticatie-** of **continue-authenticatieoplossingen**, beveiligde spraak-, video- en tekstcommunicatie en beveiligde noodcommunicatiesystemen binnen de entiteit.|[88, j]|
---
### C. Specifieke Eisen Toeleveringsketen (Art. 21, lid 4)
Wanneer de entiteit passende maatregelen voor de beveiliging van de toeleveringsketen (punt d) overweegt, moet zij rekening houden met:
|Specifieke Factor|Bronverwijzing|
|:--|:--|
|**1. Kwetsbaarheden Leveranciers**|De **specifieke kwetsbaarheden** van elke rechtstreekse leverancier en dienstverlener [89, a].|
|**2. Kwaliteit Beveiligingspraktijken**|De **algemene kwaliteit** van de producten en de cyberbeveiligingspraktijken van haar leveranciers en dienstverleners, met inbegrip van hun **veilige ontwikkelingsprocedures** [89, b].|
|**3. Risicobeoordeling Kritieke Ketens**|De resultaten van de door de samenwerkingsgroep uitgevoerde **gecoördineerde beveiligingsrisicobeoordelingen** van kritieke toeleveringsketens [89, c].|
|**4. Contractuele Vastlegging**|Het **opnemen van risicomanagement-maatregelen** in de contracten met leveranciers en de leveranciers **contractueel verplichten** de veiligheid van hun leveranciers te waarborgen.|
---
### D. Governance en Bewustzijn (Verband met Art. 21 en Art. 24)
Deze elementen zijn cruciaal voor de implementatie en naleving van Artikel 21:
| Governance Vereiste | Omschrijving |
| :------------------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **1. Bestuursgoedkeuring** | De maatregelen (Art. 21) behoeven de **goedkeuring van het bestuur** van de entiteit. |
| **2. Bevordering van Cultuur** | Bevorder **veilig gedrag en een cultuur** waarin incidenten veilig gemeld en verwerkt kunnen worden. |
| **3. Training Werknemers** | Het management moet zorgen voor **regelmatige training van de werknemers** op het gebied van informatiebeveiliging. |
| **4. Bestuurskennis** | Ieder lid van het bestuur moet beschikken over actuele **kennis en vaardigheden** om risicos te identificeren, risicobeheersmaatregelen te beoordelen en de gevolgen daarvan voor de geleverde diensten te beoordelen. |
| **5. Aantoonbaarheid Bestuurskennis** | Bestuursleden moeten deze kennis en vaardigheden aantoonbaar actueel houden en een **certificaat** bezitten waaruit de deelname blijkt aan een relevante training. |

154
Corpus/Standards/NIS 2/NIS 2 Consultatie.md Normal file
View file

@ -0,0 +1,154 @@
---
tags:
- NIS2
---
AI generated reading guide for an information security consultant.
Drawing on the following sources:
- Beleidskompas Cyberbeveiligingsbesluit.pdf
- Concept ministeriële regeling uitwerking zorgplicht.pdf (consultatieversie)
- Cyberbeveiligingsbesluit - amvb - consultatieversie.pdf
- Cyberbeveiligingsbesluit nota van toelichting - consultatieversie.pdf
- NIS2_NL.pdf
Designed to connect the duty of care ('zorgplicht') requirements stemming from the NIS2 Directive, as implemented in the Dutch Cyberbeveiligingswet (Cbw), to existing security frameworks, particularly ISO 27001 and ISO 27002.
---
# **Reading Guide: Connecting NIS2 Zorgplicht (NL) to ISO 27001/27002**
This guide is designed for information security consultants working with entities that may fall under the scope of the Dutch implementation of the NIS2 Directive. It explains the key legal documents and how their requirements, specifically regarding the 'zorgplicht' (duty of care), align with established information security management frameworks like ISO 27001 and ISO 27002.
## **1. The Document Landscape: Understanding the Hierarchy**
To understand the Dutch implementation of the NIS2 Directive and its requirements, it is essential to see how the different documents relate to each other:
- **The NIS2 Directive (Richtlijn (EU) 2022/2555):** This is the foundational European Union directive. Its primary goal is to achieve a high common level of cybersecurity across the Union and improve the functioning of the internal market by addressing inconsistencies in previous national implementations (like under NIS1). It sets minimum requirements for cybersecurity risk management and reporting obligations for covered entities.
- **The Cyberbeveiligingswet (Cbw):** This is the Dutch national law that implements the NIS2 Directive in the Netherlands. It lays down the fundamental obligations, including the 'zorgplicht' (duty of care) for essential and important entities. The Cbw is mentioned as the basis for subsequent legal texts.
- **The Cyberbeveiligingsbesluit (Cbb):** This is a lower-level regulation ('Algemene Maatregel van Bestuur' - AMvB) that elaborates on the Cyberbeveiligingswet. It details specific requirements stemming from the Cbw, such as further defining the measures entities must take under the duty of care (articles 6 to 18 Cbb elaborate article 21 Cbw), designating the national CSIRT and vulnerability coordinator, setting rules for incident reporting and criteria for significant incidents (though criteria details are delegated), requiring registration in a national register, detailing board training requirements, and outlining supervision and enforcement powers. It also amends other Dutch laws to integrate the NIS2 requirements.
- **The Concept Ministeriële Regeling uitwerking zorgplicht:** This is a draft ministerial regulation ('Ministeriële Regeling') that provides a _further, more detailed elaboration_ of specific aspects of the duty of care as outlined in the Cyberbeveiligingsbesluit (specifically Chapter 4 of the draft Cbb). This level of regulation allows for sector-specific variations if needed. This document includes detailed requirements for policies, risk management procedures, business continuity plans, supply chain agreements, security in acquisition/development/maintenance, personnel security, access policies, and asset management.
- **Explanatory Memoranda (Nota van Toelichting):** These documents accompany the Cbb and the draft ministerial regulation. They provide context, justification, and article-by-article explanations for the legal text. They clarify the intent behind specific requirements and how they relate to the NIS2 Directive and existing practices, including mentioning relevant standards.
**In summary:** The **NIS2 Directive** sets the overall European framework. The **Cyberbeveiligingswet** translates this into Dutch law. The **Cyberbeveiligingsbesluit** provides general implementing rules, and the **Ministeriële Regeling** (like the concept version provided) adds further detail, potentially with sector-specific nuances, to the duty of care obligations. The **Explanatory Memoranda** clarify the reasoning and specifics of the Cbb and the Ministerial Regulation.
## **2. The Duty of Care (Zorgplicht)**
A central obligation for essential and important entities under the Cbw (implementing NIS2 Article 21) is the 'zorgplicht' (duty of care). This requires entities to implement **appropriate and proportionate technical, operational, and organizational measures** to manage risks to the security of their network and information systems and to prevent or minimize the impact of incidents.
These measures must ensure a security level of network and information systems proportionate to the risks, taking into account the state of the art, relevant standards, and implementation costs. The proportionality assessment should consider the entity's risk exposure, size, and the potential severity of incidents, including societal and economic consequences. The approach must cover **all hazards**.
The Cbw (Article 21(3)) and Cbb (Articles 6-18) outline the minimum required measures. These include, but are not limited to:
- Policy on risk analysis and security of information systems.
- Incident handling.
- Business continuity, including backup management, disaster recovery plans, and crisis management.
- Supply chain security, focusing on security aspects of relationships with direct suppliers.
- Security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
- Policy and procedures to assess the effectiveness of cybersecurity risk management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Policy and procedures on the use of cryptography and encryption.
- Security aspects concerning personnel, access policy, and asset management.
- Where appropriate, the use of multi-factor authentication, secure communications, and secure emergency communication systems.
The draft Ministerial Regulation further details many of these requirements. For example, it specifies procedures for risk management (including defining risk criteria, identifying risks and owners, analyzing, evaluating, and treating risks) and the required contents of a business continuity plan and backup procedures (including RTO/RPO, integrity/confidentiality/availability safeguards, testing).
Entities must have **documented policy** for many of these areas (e.g., network and information system security, risk management, incident handling, supply chain security, cryptography, personnel security, access policy, asset management). These policies must be **demonstrably applied**.
Furthermore, the management body (board) of essential and important entities must **approve the risk management measures** and oversee their implementation, and they can be held **liable** for breaches. Members of the management body are required to receive **training** to gain sufficient knowledge and skills to assess risks, risk management practices, and their impact.
## **3. Connecting to Existing Security Frameworks: ISO 27001 & ISO 27002**
The NIS2 Directive and its Dutch implementation in the Cbw, Cbb, and subsequent Ministerial Regulations set forth a comprehensive set of requirements for managing cybersecurity risks. While they do not mandate a specific framework, the requirements align closely with the principles and controls found in widely recognized standards like **ISO/IEC 27001** (Information security management systems - Requirements) and **ISO/IEC 27002** (Information security controls).
Several points in the sources explicitly support this connection:
- The explanatory memorandum for the Cbb states that an Information Security Management System (ISMS), such as the **ISO 27000-series**, can be used as a management system framework to demonstrate compliance with the duty of care requirements.
- In the context of asset management, the explanatory memorandum for the draft Ministerial Regulation notes that the concept of "information and other related business assets" and classifying assets based on the impact on confidentiality, integrity, and availability is standard in **ISO 27002**.
- Feedback from the SME panel, as reported in the Cbb explanatory memorandum, suggested using the **ISO 27001** standard as a "kapstok" (framework) because many SMEs are already familiar with it. This highlights that industry stakeholders see ISO 27001 as a relevant approach to meeting the requirements.
- The NIS2 Directive itself encourages the use of European and international standards and technical specifications relevant to network and information systems security. It mentions the **ISO/IEC 27000 series** in relation to the physical and environmental security aspects of the "all hazards" approach for risk management.
**How ISO 27001/27002 can help meet NIS2/Cbw/Cbb requirements:**
- **ISO 27001** provides a structured framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. Implementing an ISMS based on ISO 27001 can help entities meet the requirement for a **management system** for the security of their network and information systems, enabling demonstrable compliance. The risk assessment and treatment process central to ISO 27001 directly supports the NIS2/Cbw/Cbb requirements for **risk management policy and procedures**.
- **ISO 27002** provides detailed guidance on information security controls. The control areas in ISO 27002 correspond closely to the mandatory measures listed under the NIS2/Cbw/Cbb duty of care. For example:
- **Risk Management (ISO 27001 Annex A, ISO 27002 Theme 5):** Directly supports the comprehensive risk management requirements.
- **Incident Management (ISO 27002 Theme 5):** Corresponds to the incident handling requirements.
- **Business Continuity (ISO 27002 Theme 5):** Aligns with the requirements for business continuity planning, backups, and crisis management.
- **Supply Chain Security (ISO 27002 Theme 5):** Addresses the requirements for managing security risks with suppliers and service providers.
- **Acquisition, Development, and Maintenance (ISO 27002 Theme 8):** Covers security requirements in system lifecycles, vulnerability management, and patching.
- **Effectiveness Assessment (ISO 27001 Clause 9, ISO 27002 Theme 5):** Supports the requirement to assess the effectiveness of risk management measures.
- **Cyber Hygiene and Training (ISO 27002 Theme 8):** Aligns with requirements for basic practices and personnel training/awareness.
- **Cryptography (ISO 27002 Theme 8):** Addresses the policy requirements for using cryptography.
- **Personnel Security (ISO 27002 Theme 6):** Covers requirements for assigning roles, responsibilities, and reliability checks.
- **Access Control (ISO 27002 Theme 8):** Addresses policies and procedures for logical and physical access.
- **Asset Management (ISO 27002 Theme 5):** Supports the requirements for identifying, classifying, and managing assets.
Using ISO 27001 as the framework and ISO 27002 for implementing controls can provide a structured and internationally recognized approach to meet the comprehensive duty of care requirements defined by the NIS2 Directive, the Cbw, the Cbb, and the detailed Ministerial Regulations. This approach can also help entities to demonstrably apply their security policies, as required.
## **4. Key Considerations for Consultants**
- **Scope:** Be aware of which entities are covered (essential, important, certain smaller entities). Note exclusions (e.g., certain government activities) and entities covered by EU Regulation 2024/2690 (for which Cbb articles 6-16 and 24 do not apply).
- **Risk-Based Approach & Proportionality:** The legal framework explicitly mandates a risk-based approach and proportionality. Tailor security measures and ISMS implementation to the specific risks, size, and impact of the entity. The definition of risk criteria and risk acceptance is a key procedural requirement.
- **Documentation:** Emphasize the requirement for written and demonstrable policies and procedures for various security aspects. An ISMS helps manage this documentation.
- **Governance & Training:** Note the specific requirement for board approval and oversight of risk management measures, and the mandatory training for board members. This is a distinct requirement that needs to be addressed.
- **Incident Reporting:** Understand the multi-stage reporting obligations for significant incidents. Voluntary reporting is also encouraged.
- **Supply Chain:** The focus extends beyond direct suppliers, and entities must assess supplier security practices. The SME panel highlighted challenges for smaller suppliers.
- **Asset Management:** The requirement for a complete and current inventory, including classification based on impact (CIA), is explicitly detailed and linked to ISO 27002 and business continuity.
- **Supervision & Enforcement:** Be aware of the differentiated supervision regimes for essential (proactive and reactive) and important (reactive only) entities, and the potential enforcement measures, including administrative fines and, for essential entities in case of persistent non-compliance, temporary service suspensions or management prohibitions.
- **SME Support:** Recognize the challenges for smaller entities (awareness, costs, complexity). Advise them on seeking government support (guides, tools, templates). Advocate for clear, proportional, and goal-oriented requirements where possible.
- **Interoperability and Standards:** The legal framework encourages alignment with European and international standards. This reinforces the utility of using standards like ISO 27001/27002.
By using this guide and delving into the specifics of each document, a consultant can effectively navigate the Dutch NIS2 landscape, translate legal requirements into practical security measures, and leverage existing frameworks like ISO 27001/27002 to support their clients in achieving compliance and enhancing their digital resilience.
## Literal references to standards and frameworks
### ISO 27k family
Yes, the sources contain literal references to standards within the ISO 27000 series, including specific mentions of **ISO 27001** and **ISO 27002**.
Here are the details from the sources:
1. **ISO 27000 series as an example of a management system:**
- The explanatory memorandum mentions that the Cyberbeveiligingsbesluit (Cbb) elaborates on the duty of care requirements for essential and important entities outlined in Article 21 of the Cyberbeveiligingswet (Cbw). Article 6, paragraph 4, of the Cbb requires entities to use a management system for the security of their network and information systems to demonstrate compliance. The purpose of this system is to make network and information security risks understandable, take measures to manage them, and adjust them as needed to reduce risks to an acceptable level in a structured manner. Examples of such a management system include an Information Security Management System (ISMS) such as the **ISO 27000 series**.
2. **ISO 27002 in the context of asset management:**
- The concept ministerial regulation detailing the duty of care mentions asset management, based on Article 16 of the Cbb. To determine security risks, essential and important entities need to know which network and information systems they possess and how these relate to their activities and services. In **ISO 27002**, this is referred to as 'information and other related assets', where assets are defined as anything of value to the business, excluding personnel and financial means, but potentially including specific licenses.
- For proper protection of these assets, an up-to-date inventory is necessary, which must include a classification of assets based on security requirements. Customarily, this classification is based on the impact on business operations, which is the standard in **ISO 27002**, among other frameworks. The inventory should also indicate which processes the asset is used for, linking it to the business continuity plan, as the classification and impact of asset failure should be considered in that plan.
3. **SME panel suggestion regarding ISO 27001:**
- In the explanatory memorandum, feedback from a panel of SME entrepreneurs on the draft regulation is discussed. Regarding the duty of care, the panel found the requirement to take specific measures for network and information system security reasonable but questioned its feasibility and affordability for SMEs. The panel members suggested using the **ISO 27001** standard as a framework ("kapstok") because many SMEs are already familiar with this standard framework ("normenkader"). They advocated for clear and proportionate requirements and for tailored approaches ("maatwerk").
These references indicate that standards like **ISO 27001** and **ISO 27002** are seen as relevant frameworks or examples for implementing the cyber resilience measures required by the Cyberbeveiligingswet and its underlying regulations.
### Others
Yes, in addition to the literal references to ISO 27001 and ISO 27002 discussed previously, the sources also contain literal references to several **other standards, frameworks, protocols, and EU legal acts** that are relevant in the context of the Cyberbeveiligingswet (Cbw) and its underlying regulations, particularly the Cyberbeveiligingsbesluit (Cbb) and the concept ministerial regulation.
Here are some examples from the sources:
- **ISO 27000 series:** Mentioned generally as an example of an Information Security Management System (ISMS) that essential and important entities can use to demonstrate compliance with the duty of care requirements. Physical and environmental security measures as part of cybersecurity risk management should be in accordance with European and international standards such as those in the ISO/IEC 27000 series.
- **EIC 62443:** Mentioned as another example of a management system, specifically a Cyber Security Management System (CSMS), alongside the ISO 27000 series.
- **ISO/IEC 17788:2014:** This standard is mentioned in the context of defining terms like "service and deployment models" for cloud computing.
- **ISO/IEC 30111 and ISO/IEC 29147:** These international standards are referenced as providing guidelines for vulnerability response and disclosure.
- **European and international standards:** General encouragement is given for entities to use relevant European and international standards and technical specifications for managing cybersecurity risks, and knowledge of these is required for qualified trainers. The Commission aims to follow these standards when preparing implementing acts.
- **Technical specifications:** Mentioned alongside standards as relevant for cybersecurity risk management, and Enisa provides advice on these.
- **European cybersecurity certification schemes:** Member states may require or encourage entities to use ICT products, services, or processes certified under these schemes, established under **Verordening (EU) 2019/881 (the Cybersecurity Act)**.
- **Qualified trust services:** Essential and important entities are encouraged to use these services, which are defined in **Verordening (EU) nr. 910/2014 (eIDAS Regulation)**.
- **Zero trust principles:** Listed as one of the basic practices in cyber hygiene that essential and important entities should apply. It can also be used as a starting point for the design and development of software, hardware, and services.
- **Security by design / security by default:** Mentioned as principles that can be used as starting points for the development and implementation of software, hardware, and services, and their use for encryption is promoted.
- **Traffic light protocol (TLP):** Referenced as an informal information sharing agreement used by CSIRTs and information sharing centers. It is explicitly mentioned as a relevant information sharing protocol for CSIRTs collaborating with third countries.
- **Plan-Do-Check-Act (PDCA) cycle:** This iterative management method is mentioned as the basis for the management system for network and information system security.
- **Need-to-know principle, Least privilege principle, and Separation of duties:** These principles are mentioned as considerations for assigning and using special access rights within an access policy.
- **Recovery time objective (RTO) and Recovery point objective (RPO):** These English terms are provided as equivalents for "hersteltijden" and "herstelpunten" in the context of backup plans.
- **NACE Rev. 2:** This classification of economic activities is used in Annex II of the NIS2 Directive to specify certain manufacturing sub-sectors that fall under its scope.
- **Other EU Legal Acts:** Numerous other EU Regulations and Directives are referenced, particularly in the NIS2 Directive source, as they define the types of entities covered, establish related requirements, or interact with the NIS2 framework. Examples include:
- **Richtlijn (EU) 2022/2555 (the NIS2 Directive itself):** The primary source, which is implemented by the Cbw and Cbb.
- **Verordening (EU) 2022/2554 (DORA):** Mentioned as a sector-specific act for financial entities that applies instead of NIS2 for certain requirements. Cooperation between DORA and NIS2 authorities is foreseen.
- **Richtlijn (EU) 2022/2557 (CER Directive):** Requires a coherent approach with NIS2, and critical entities under CER are considered essential entities under NIS2.
- **Verordening (EU) nr. 910/2014 (eIDAS Regulation):** Relevant for trust service providers who fall under NIS2. Defines trust services.
- **Richtlijn (EU) 2018/1972 (European Electronic Communications Code):** Relevant for providers of electronic communication networks and services who fall under NIS2. Defines related terms.
- **Verordening (EU) 2016/679 (GDPR):** Applicable to the processing of personal data under NIS2.
- **Richtlijn 2002/58/EG (ePrivacy Directive):** Applicable to certain processing of personal data.
- **Aanbeveling 2003/361/EG:** Used to define enterprise sizes (micro, small, medium) which determines if entities fall under NIS2 scope or are classified as essential or important.
- **Frascati Manual 2015:** Used for defining research organizations.
These references show that the regulatory framework established by the Cbw, Cbb, and the NIS2 Directive draws upon and interacts with a variety of existing standards, frameworks, and legal instruments.

75
Corpus/Standards/NIS 2/NIS 2 Cyberfundamentals Framework.md Normal file
View file

@ -0,0 +1,75 @@
#nis2
# Het Cyberfundamentals Framework
Het Centre for Cyber Security Belgium ([CBB](https://ccb.belgium.be/nl)) heeft NIS2 vertaald in het [Cyberfundamentals Framework](https://ccb.belgium.be/nl/cyberfundamentals-framework) .
Het Cyberfundamentals Framework is een reeks concrete maatregelen om:
* gegevens te beschermen,
* het risico op de meest voorkomende cyberaanvallen aanzienlijk te verminderen,
* de cyberweerbaarheid van een organisatie te vergroten. 
Het raamwerk is gebaseerd op en gekoppeld aan 4 veelgebruikte cyberbeveiligingsraamwerken: NIST CSF, ISO 27001 / ISO 27002, CIS Controls en IEC 62443.
## Vijf Kernfuncties
Het CCB Cyberfundamentals Framework is opgebouwd rond vijf kernfuncties: identificeren, beschermen, detecteren, reageren en herstellen. Deze functies helpen de communicatie rond cyberbeveiliging te bevorderen tussen zowel technische vakmensen als belanghebbenden, over organisatie- en sectorgrenzen heen. Ook helpt het om cybergerelateerde risico's te integreren met de algemene risicobeheerstrategie van de organisatie.
## Vier Zekerheidsniveaus
Het framework definieert 4 zekerheidsniveaus met oplopende requirements:
1. Small: voor micro-organisaties of organisaties met een beperkte technische kennis. “Hiermee kan een organisatie een eerste inschatting maken”. [PDF met Guidance](https://ccb.belgium.be/sites/default/files/cyberfundamentals/CYFUN_SMALL_NL_20230301.pdf)
2. Basis: standaardmaatregelen voor informatiebeveiliging voor alle ondernemingen. Bedoeld om 82% van de aanvallen te kunnen afdekken. [PDF met Guidance](https://ccb.belgium.be/sites/default/files/cyberfundamentals/CYFUN_BASIC_NL_20230301.pdf)
3. Belangrijk: risicobeperking voor gerichte, gebruikelijke cyberaanvallen. Bedoeld om 94% van de aanvallen te kunnen afdekken. [PDF met Guidance](https://ccb.belgium.be/sites/default/files/cyberfundamentals/CYFUN_IMPORTANT_NL_20230301.pdf)
4. Essentieel: risicobeperking voor gerichte, geavanceerde cyberaanvallen. Bedoeld om 100% van de aanvallen kunnen afdekken. [PDF met Guidance](https://ccb.belgium.be/sites/default/files/cyberfundamentals/CYFUN_ESSENTIAL_NL_20230301.pdf)
M.b.t. de zekerheidspercentages: voor succesvolle cyberaanvallen uit het verleden zijn de maatregelen bepaald, die de aanval hadden kunnen pareren.
## Bepalen van het juiste zekerheidsniveau (1-4)
De [CyFun Selection tool](https://ccb.belgium.be/sites/default/files/cyberfundamentals/BE-NIS2-RA-v2023-08-03.xlsx) geeft per sector een matrix, met de impactniveaus van 5 soorten aanvallen door 5 soorten bedreigende actoren (threat actors).
De categorieën van aanvallen zijn:
* Sabotage/verstoring (DDOS,...)
* Informatiediefstal (spionage,...)
* Misdaad (losgeldaanvallen)
* Hacktivisme (ondermijning, defacement,...)
* Desinformatie (politieke beïnvloeding)
Voor elk van de categorieën is de impact op nationaal, maatschappelijk of bedrijfsniveau bepaald. Er zijn drie niveaus van impact: Hoog, Medium en Laag. Deze niveaus zijn gekwalificeerd in het document [Beschrijving van impactniveaus](https://ccb.belgium.be/sites/default/files/cyberfundamentals/IMPACTNIVEAUS_v2023-07-10.pdf).
De categorieën bedreigende actoren zijn:
* Concurrenten
* Ideologen (Hacktivisten)
* Terroristen
* Cybercriminelen
* Actoren gesteund door naties
Voor elke categorie cyberaanvallen en voor elk type bedreigende actor is de waarschijnlijkheid bepaald (hoog, gemiddeld, laag) van dit type cyberaanval door dit type bedreigende actor.
Gebruik van de [CyFun Selection tool](https://ccb.belgium.be/sites/default/files/cyberfundamentals/BE-NIS2-RA-v2023-08-03.xlsx):
1. Kies de sector waarin uw organisatie actief is (tabblad)
2. Selecteer de toepasselijke organisatiegrootte
3. Rechtsonder ziet u het van toepassing zijnde zekerheidsniveau.
4. U kunt de standaard waarden voor Impact en Waarschijnlijkheid aanpassen aan de specifieke situatie van uw organisatie, maar als u afwijkt van de standaard moet u dat motiveren.
### Bepalen van de Volwassenheid van de organisatie t.o.v. het Zekerheidsniveau
Gebruik het [CyFun Self-Assessment tool](https://ccb.belgium.be/nl/cyfun-self-assessment-tool) "om zelfevaluatie voor te bereiden” dit bevat ook spider-diagrammen ter ondersteuning van managementrapportage.
* De tool geeft voor ieder van de vier Zekerheidsniveaus de **vereiste maatregelen** (tabblad Details).
* Voor iedere maatregel kun je op de aspecten documentatie en implementatie een **volwassenheidsniveau** ingeven van 1 tot 5. De volwassenheidsniveaus worden gekwalificeerd op het tabblad Maturity Levels.
* Sommige maatregelen zijn geïdentificeerd als Kernmaatregel (Key Measure). Deze maatregelen “vereisen bijzondere aandacht”, volgens de CCB Guidance documenten (zie onder [[/Vier Zekerheidsniveaus]])
- Op het van toepassing zijnde “Summary” tabblad kunnen vervolgens de volwassenheidsscores op verschillende categorieën van maatregelen worden afgelezen.
- De vereiste score verschilt per Zekerheidsniveau: Basis = 2,5 / Belangrijk en Essentieel = 3,0
Het eerste tabblad vermeldt:
> - Het framework kan vrijwillig of verplicht worden ingezet.
> - Bij vrijwillig gebruik wordt het gezien als een certificeringsschema voor implementatie van “the statutory mandate of the CCB (RD 10 Oct 2014, Art. 3 8°)”.
> - Voor verplicht gebruik van het certificeringsschema gelden de wetten en reguleringen die verplicht gebruik afdwingen.
> - De zelfevaluatie-rapportage (self-declaration) kan door een onafhankelijke derde partij (Conformity Assessment Body) geverifieerd worden en geldt dan als een certificering overeenkomstig de Conformity Assessment Scheme.
## Mapping op bekende security frameworks
De [CyberFundamentals Framework mapping](https://ccb.belgium.be/sites/default/files/cyberfundamentals/CyFun%20mapping%20Full_v20230825.xlsx) mapt de maatregelen uit het CyberFundamentals Framework op de maatregelen uit 5 bekende frameworks (ISO 27001:2022, ISO 27002:2022, CIS v8, IEC 62443-2-1:2010, IEC 62443-3-3:2013).
## Relevante links
- [NIS 2 in Vlaanderen](NIS%202%20in%20Vlaanderen.md)
- [CCB: Cyberfundamentals NL](https://ccb.belgium.be/nl/cyberfundamentals-framework)
- [Cert.be](https://www.cert.be/nl)

5
Corpus/Standards/NIS 2/NIS 2 Directive and ISO 27001-2022.md Normal file
View file

@ -0,0 +1,5 @@
# NIS 2 Directive and ISO 27001:2022
Relevant articles of the NIS 2 are linked to clauses and controls of the ISO 27001:2022
![](../../📎%20Attachments/NIS_2_and_ISO_27001_2022.pdf)

19
Corpus/Standards/NIS 2/NIS 2 Index.md Normal file
View file

@ -0,0 +1,19 @@
#nis2
[NIS 2 in Vlaanderen](NIS%202%20in%20Vlaanderen.md)
[NIS 2 Cyberfundamentals Framework](NIS%202%20Cyberfundamentals%20Framework.md) (Vlaanderen)
[NIS 2 voor Humankind](../../../🏭%20Clients/Humankind/NIS%202%20voor%20Humankind.md)
[NIS2 Explained](FortMesa%20NIS2%20Explained.md) for FortMesa webinar June 2025: "The State of EU Cyber Compliance: NIS2 Explained"
[NIS 2 maatregelen en ISO 27002/BIO](https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/mapping-nis2-maatregelen/) Digitale overheid
[PDF](../../📎%20Attachments/NIS_2_and_ISO_27001_2022.pdf): NIS 2 Directive and ISO 27001 Andrey Prozorov
[PDF](NIS2_EN.pdf): NIS 2 Original Text EN
[PDF](NIS2_NL.pdf): NIS 2 Brontekst
[NIS 2 Consultatie](NIS%202%20Consultatie.md)
[](Wetsvoorstel%20Cyberbeveiligingswet%20Cbw.pdf)
[Blogpost - NIS 2 en de Canvas Methode](../../../Canvas%20Method/Blogpost%20-%20NIS%202%20en%20de%20Canvas%20Methode.md)
[NIS 2 Checklist artikel 21](NIS%202%20Checklist%20artikel%2021.md)

96
Corpus/Standards/NIS 2/NIS 2 in Vlaanderen.md Normal file
View file

@ -0,0 +1,96 @@
#nis2
# NIS2 in Vlaanderen
Bron: [CCB: Wat betekent het voor mijn organisatie?](https://ccb.belgium.be/nl/de-nis2-richtlijn-wat-betekent-dit-voor-mijn-organisatie)
## Toepassingsgebied
*Voor welke organisaties geldt de richtlijn?*
- Grote of middelgrote ondernemingen in genoemde sectoren: meer dan 50 werknemers of meer dan 10 miljoen euro jaarlijkse omzet
- Onderscheid tussen "essentiële" en "belangrijke" entiteiten, o.b.v. de omvang en het type van de organisatie. Essentiële entiteiten zullen strenger gecontroleerd en gesanctioneerd worden dan belangrijke entiteiten.
- **Essentiële entiteiten** zijn grote ondernemingen die deel uitmaken van de zeer kritieke sectoren (zie bijlage I van de richtlijn). Een grote entiteit wordt gedefinieerd als: ondernemingen met ten minste 250 werknemers OF met een jaaromzet van ten minste 50 miljoen euro OF een jaarlijks balanstotaal van ten minste 43 miljoen euro.
- **Belangrijke entiteiten** zijn middelgrote ondernemingen die actief zijn in de zeer kritieke sectoren (zie bijlage I van de richtlijn), OF grote of middelgrote ondernemingen in de sectoren van bijlage II van de richtlijn die niet in de categorie essentiële entiteiten vallen (vanwege hun omvang of het type van de betrokken entiteit). Een middelgrote onderneming wordt gedefinieerd als: ten minste 50 werknemers OF met een jaaromzet (of balanstotaal) van ten minste 10 miljoen euro, maar dus met minder dan 250 werknemers EN niet meer dan 50 miljoen euro omzet of 43 euro balanstotaal.
- Daaronder zijn het kleine en micro-ondernemingen, deze vallen buiten het toepassingsgebied (op specifieke uitzonderingen na): Minder dan 50 werknemers EN
een jaaromzet van minder dan EUR 10 miljoen EN minder dan EUR 10 miljoen jaarlijks balanstotaal.
- Uitzonderingen zijn organisaties die als **kritiek** worden aangemerkt, op basis van de sectoren waarin ze werkzaam zijn[^kritiek].
- Nationale autoriteiten kunnen specifieke entiteiten aanmerken als "kritiek" of "belangrijk", bijvoorbeeld wanneer zij de enige dienstverlener zijn of wanneer een verstoring van de dienstverlening aanzienlijke gevolgen zou kunnen hebben voor de openbare veiligheid, de openbare veiligheid of de volksgezondheid.
- *Voor details zie de artikelen 2, 3 en 4 van de richtlijn.*
[^kritiek]: zie bijlagen I en II van de richtlijn
## Jurisdictie en territorialiteit
- De Belgische wet tot omzetting van de NIS2-richtlijn zal in principe van toepassing zijn op entiteiten die in België gevestigd zijn. Waarbij vestiging inhoudt: “de daadwerkelijke uitoefening van de activiteit in door middel van stabiele regelingen” bijv. via een filiaal, of een dochteronderneming.
- Uitzonderingen:
- aanbieders van openbare communicatie-netwerken of -diensten vallen onder de jurisdictie van de lidstaat waar zij hun diensten aanbieden;
* DNS-aanbieders, aanbieders van domeinnaamregistratiediensten, cloud computing-diensten, datacenterdiensten, netwerken voor de levering van inhoud, beheerde diensten, beheerde beveiligingsdiensten, onlinemarktplaatsen, zoekmachines en sociale netwerkdiensten vallen onder de jurisdictie van de lidstaat waar zij hun hoofdvestiging in de EU hebben.
* overheidsinstanties vallen onder de jurisdictie van de lidstaat die hen heeft opgericht.
- *Voor details zie de artikelen 26-27 van de richtlijn.*
## Maatregelen (zorgplicht)
Essentiële en belangrijke entiteiten, die onder het toepassingsgebied vallen, moeten “passende en evenredige maatregelen” nemen om de risicos voor de beveiliging van hun netwerk- en informatiesystemen, te beheren en om incidenten te voorkomen of de gevolgen van incidenten voor de afnemers van hun diensten en voor andere diensten te beperken *(Zie hiervoor vooral art. 20-25)*. 
Deze maatregelen omvatten ten minste: 
* beleid inzake risicoanalyse en beveiliging van informatiesystemen;
* incidentenbehandeling;
* bedrijfscontinuïteit, zoals back-upbeheer en noodvoorzieningenplannen, en crisisbeheer;
* de beveiliging van de toeleveringsketen, met inbegrip van beveiligingsgerelateerde aspecten met betrekking tot de relaties tussen elke entiteit en haar rechtstreekse leveranciers of dienstverlener beveiliging bij het verwerven, ontwikkelen en onderhouden van netwerk- en informatiesystemen, met inbegrip van de respons op en bekendmaking van kwetsbaarheden;
* beleid en procedures om de effectiviteit van maatregelen voor het beheer van cyberbeveiligingsrisicos te beoordelen;
* basispraktijken op het gebied van cyberhygiëne en opleiding op het gebied van cyberbeveiliging;
* beleid en procedures inzake het gebruik van cryptografie en, in voorkomend geval, encryptie;
* beveiligingsaspecten ten aanzien van personeel, toegangsbeleid en beheer van activa;
* wanneer gepast, het gebruik van multifactor authenticatie of continue authenticatieoplossingen, beveiligde spraak-, video- en tekstcommunicatie en beveiligde noodcommunicatiesystemen binnen de entiteit. 
- *Voor details zie de artikelen 20-25 van de richtlijn.*
### Verantwoordelijkheden van de bestuursorganen of leidinggevenden
- Het bestuur moet de maatregelen goedkeuren en toezien op de uitvoering. Ze kan aansprakelijk worden gesteld voor eventuele inbreuken. 
- Bestuursleden moeten een cyberbeveiligingsopleiding volgen, zodat ze begrijpen welke maatregelen ze goedkeuren, en hun werknemers regelmatig een soortgelijke opleiding aanbieden.
- Managers moeten voldoende kennis en vaardigheden verwerven om risico's te identificeren voor hun organisatie en om de cyberveiligheidsmaatregelen en de *gevolgen ervan voor hun organisatie te kunnen beoordelen*. 
## Rapportageverplichtingen en meldplicht
*Zie ook [[Cyberfundamentals Framework BE-NL]].*
Essentiële en belangrijke entiteiten moeten elk *belangrijk* incident onverwijld melden bij het CCB (de nationale CSIRT).
Elk incident dat ernstige gevolgen heeft voor de dienstverlening in de in de bijlagen I en II van de richtlijn opgenomen sectoren of sub sectoren, moet onmiddellijk gemeld worden.
Kenmerken van een ernstig incident:
- Kan een ernstige operationele verstoring geven, of financiële verliezen veroorzaken, van de diensten in (sub)sectoren uit bijlagen I en II van de richtlijn
- aanzienlijke materiële, fysieke of immateriële schade veroorzaken aan andere natuurlijke of rechtspersonen. 
### Melding
De melding moet uit verschillende stappen bestaan:
* vroegtijdige waarschuwing (ten laatste binnen de 24 uur nadat men kennis heeft gekregen van het incident), met minimale info, o.a. of het incident zich kan verspreiden naar andere sectoren of naar het buitenland, en of kwaadaardig opzet vermoed wordt ;
* een volledige incidentmelding (ten laatste binnen de 72 uur nadat men kennis heeft gekregen van het incident)
* eventueel een tussentijds verslag of een voortgangsverslag (op vraag van het nationale CSIRT).
* Een eindverslag (één maand na de indiening van de incidentmelding). Indien het incident nog niet is afgerond na 1 maand, dan wordt een tussentijds verslag verwacht na 1 maand, en een finaal verslag eenmaal het incident is afgerond.
Waar toepasselijk moet een entiteit ook hun klanten onverwijld in kennis stellen van significante incidenten die hun dienstverlening kunnen schaden. 
Naast de rapportageverplichting kunnen verslagen op vrijwillige basis worden ingediend door: 
* essentiële en belangrijke entiteiten over (niet significante) incidenten, cyberdreigingen en voorkomen incidenten;
* andere entiteiten dan essentiële en belangrijke entiteiten, ongeacht of ze onder het toepassingsgebied van de richtlijn vallen.
*Voor meer details over rapportageverplichtingen zie o.a. artikelen 23 en 30 van de richtlijn.*
## Toezicht en Sancties
- Lidstaten (cq. De bevoegde nationale autoriteiten) houden het toezicht op de uitvoering van de NIS2
- Hiervoor kunnen zij bijvoorbeeld regelmatige externe audits, inspecties uitvoeren of bepaalde documentatie opvragen.
- hebben de bevoegdheid om maatregelen te nemen als waarschuwingen of bindende instructies, of het informeren van de klanten van de organisatie. Ook kunnen doeltreffende, evenredige en afschrikkende administratieve boetes worden opgelegd.
Inbreuken op het gebied van risicobeheersmaatregelen of incidentmeldingen kunnen worden bestraft: 
* voor essentiële entiteiten: boetes tot maximum 10 miljoen euro of ten minste 2 % van de totale wereldwijde jaaromzet, afhankelijk van welk bedrag hoger is.
* voor belangrijke entiteiten: boetes tot maximum 7 miljoen euro of ten minste 1,4 % van de totale wereldwijde jaaromzet, afhankelijk van welk bedrag hoger is. 
* Lidstaten kunnen in de omzettingskwet bepalen dat overheidsinstanties hiervan uitgesloten zijn. De andere sancties gelden wel.
Lidstaten kunnen dwangsommen opleggen om een essentiële of belangrijke entiteit te dwingen een inbreuk op de richtlijn te staken.
Natuurlijke personen die essentiële entiteiten vertegenwoordigen kunnen aansprakelijk worden gesteld om top management te sensibiliseren.
*Voor alle details over sancties, zie artikelen 31-37 van de richtlijn.* 
## Voorwaarts
* België zal uiterlijk op 17 oktober 2024 nieuwe bepalingen moeten aannemen.
* Nieuwe verplichtingen treden aan het eind van de omzettingstermijn in werking (oktober 2024).
Zie ook: [NIS 2 Cyberfundamentals Framework](NIS%202%20Cyberfundamentals%20Framework.md)

BIN
Corpus/Standards/NIS 2/NIS2_EN.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/NIS 2/NIS2_NL.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/NIS 2/Wetsvoorstel Cyberbeveiligingswet Cbw.pdf Normal file
View file

Binary file not shown.

9
Corpus/Standards/NIS 2/iA example.iapresenter/info.json Normal file
View file

@ -0,0 +1,9 @@
{
"creatorIdentifier" : "net.ia.presenter",
"net.ia.presenter" : {
"localFileIdentifier" : "9BE84C99-DBD3-4561-AE79-43414210ED35"
},
"transient" : false,
"type" : "net.daringfireball.markdown",
"version" : 2
}

293
Corpus/Standards/NIS 2/iA example.iapresenter/text.md Normal file
View file

@ -0,0 +1,293 @@
#nis2
# FAST LOVE
#### iA Presenter in three minutes
As you can see, regular text paragraphs are *not* visible to your audience. This is by design. Body text is your script. Only you can see it. As you can see later, it will be present in the teleprompter when you present.
---
Easy
## Dont stuff your slides with text
Putting a lot of text on a slide and reading it out to the audience is the #1 presentation killer. Don't do it. Use headlines or headlines with kickers instead. (Kickers are smaller text above a headline, in this case the word "Easy").
---
### ⇥ means “tab”
Write tabs in front of regular text to have it show on the slide
Headlines are shown by default. If you want to display body text on the slide, put a tab in front of the text. You can also use tabs before body text or other headings to create kickers.
---
You can write walls of text. **But no one will pay attention.** You can also read that text-heavy slide word by word. **But no one will listen.** Your audience will read your slide instead, faster than you can speak. And then zone out, bored until you finish saying what they already read.
But no rule without exception! If you want to discuss a paragraph of Shakespeare in literature class, add a tab (⇥) in front of it.
Use text as your script and choose visible elements carefully. Remember: less is more.
Here's another bad habit:
---
### Bullet lists
- Increase cognitive load
- Look and feel robotic
- Are distracting
- Bore the hell out of everyone
- Make you predictable
- Sound and look like notes
- Should be notes
These should be reading notes. Bullet list slides look like a lot of work for your audience. It's the fastest way to sabotage your presentation. They're an open invitation to your audience to finish your sentences.
---
Write it, cut it, paste it
## Focus on the story
To make people listen to you, you need a good story. Stories connect. A good story has the power to make people look at the world through your eyes. The door to make them look through your eyes will not get unlocked with stock images, graphs, and bullet lists, but with your voice.
You need beginning-middle-end. Your presentation's visuals should help you get attention, make your point, and keep people oriented. With iA Presenter, you dont *design* your presentation, you *write* it.
---
https://ia.net/presenter-assets/inspector.png
x: left
y: top
### Use the Text Inspector to format.
To write a headline, you add a hash in front of it. To add an image, you drag it into the Editor. Writing bold, you use **two** asterisks. To write a list, just add a hyphen or a number with a dot. This is called Markdown.
If you play with Markdown for a couple of minutes, youll only need help for more difficult matters. Adding a link, footnote, or table requires more skills. To promote familiarity with advanced Markdown, we have added a formatting inspector.
---
Keep em separated
## Discern what you say and what you show
In common presentations, the script is called “notes.” They are squeezed in at the bottom of the page. Theyre an afterthought. With iA Presenter, your story is the very essence of every presentation. That doesn't mean that every presentation needs to be a TED talk. But every time you speak, you need to have something to say.
Usually, what you want to say already exists in some form. You can paste an existing text, and you are 50% done. All you need are page breaks and visuals. The story-centered text-first approach is what makes iA Presenter so much faster than graphic presentation tools.
To create a page break, you simply add three hyphens like this:
---
## ---
Type three dashes to create a page break
---
Sound and vision
## How to add images
And how do you add media files, like an image? Just drag and drop.
---
Delete the image below and drag a new one right below here:
/theme/image1.jpg
You can use regular Markdown or the simpler Content Block syntax: /yourfilename.jpg. Or you can use an image from the web. Simply paste the URL of an image from your browser.
---
https://ia.net/presenter-assets/image-inspector.png "Source: iA.net"
x: left
y: top
You can align images top, left, and bottom, or put them in the background. Just click on the little arrow next to the image for image positioning controls.
You cannot position them statically like on a typical PPT slide or a piece of paper. The design will adapt to different screen sizes, so image positioning is relative (align left, top, center...). Letting go of the static design needs some time, but once you've experienced the power of a responsive presentation on a phone, you don't want to go back to the old PPT-pinch-and-zoom ways.
### Use the image inspector on the right to see and manage all your used and unused images and movies.
Note: Write your caption text in quotes after the image path (Like this: /yourfilename.jpg "Caption or source") to add a caption or the image source. In this case, we added "Source: iA.net"
---
Let it go
## Auto layout!
You add your text and images, and Presenter picks the right layout for you.
---
/Theme/image1.jpg
/Theme/image2.jpg
Layouts are picked automatically depending on what type of visual elements you add.
---
/Theme/image1.jpg
/Theme/image2.jpg
/Theme/image3.jpg
Do not try to get it pixel-perfect! Layouts are responsive. They adapt to screen size. So, no more pinching on the phone, no more pixel-pushing because youre presenting on a different monitor. Up to three pictures are full bleed. More than three elements are shown in a mosaic.
---
### This is an H3 title
/Theme/image1.jpg
/Theme/image2.jpg
/Theme/image3.jpg
/Theme/image4.jpg
/Theme/image5.jpg
/Theme/image6.jpg
Please note: **You need a line break in between each element.** If you leave out the line break, two elements will share the same cell. It's hard to describe. Just play with the line breaks to see how it works.
---
https://ia.net/presenter-assets/responsive-design-text.png
#### “But I *need* a certain design for my slides!”
You certainly do. But you don't work in a certain medium. If you design a static slide, your layout will break on a tablet, a phone, or a wide screen.
iA Presenter adapts your slides to different devices. So no more static layouts! It takes time to get used to it. But layouts do not matter as much as PowerPoint wants you to believe. What matters is that you have a great story. And that people can enjoy your story wherever with whatever design ever. Welcome to the multi-screen future. Goodbye to static design.
---
https://ia.net/presenter-assets/responsive-design-pictures.png
#### Let it go...
In iA Presenter, the layout adapts to wide screens, different overhead projector ratios, Zoom windows, tablets, phones, watches, and toasters. No more static templates.
---
https://ia.net/presenter-assets/responsive-design-text-cclumn.png
#### Let it go...
Multi-column layouts inevitably break on mobile phones. We have gotten used to websites adjusting to our devices. It's time to do the same for presentations. No more pinching and smudging around on the phone.
---
Shes a rainbow
## About that funky multi-color code
We use color to give you an additional hint on where you are inside a presentation. The cursor changes color, too!
**Blue** is a cold start
**Purple** is to warm up
**Red** is when things get heated
**Orange** prepares you for a sweet end
**Gold** is the afterglow
You are not forced to use these colors. We encourage you to deal with the design at the end of your process. You can change the design by picking different themes. Within a theme, you can edit colors, fonts, header, footer, and logo.
---
https://ia.net/presenter-assets/basel.png
y: top
https://ia.net/presenter-assets/sf.png
y: top
https://ia.net/presenter-assets/tokyo.png
y: top
https://ia.net/presenter-assets/paris.png
y: top
https://ia.net/presenter-assets/milano.png
y: top
https://ia.net/presenter-assets/copenhagen.png
y: top
You can create your own very special theme. You can make a theme for your company, and then everyone's presentation will be spot-on CI. But youll need some CSS skills. If you get a bunch of licenses, we'll help you.
---
Too funky for you?
## Changing fonts and colors
Click on the inspector buttons in the title bar. The Design Tab lets you change fonts, colors, headers, and more.
---
https://ia.net/presenter-assets/style.png
y: top
### Our templates are colorful, typographic, and they work on every device.
---
Under pressure
## How do I present?
Press play in the title bar top right to enter presentation mode. You have two windows: A teleprompter for you and the visuals for the audience.
---
### Teleprompter: What you see
https://ia.net/presenter-assets/teleprompter.png
size: contain
### Visualizer: What they see
https://ia.net/presenter-assets/visualizer.png
size: contain
We purposely do not go full screen right away. This allows you to work with the editor/teleprompter and presentation window on one screen. Why?
- So you can prepare and rehearse your presentation on one screen.
- Most presentations these days are done via video chat on a single-screen device.
- Managing windows and making them fullscreen is easy and pleasant. Auto-fullscreen is unsettling and hard to manage.
---
Back in Black
## Create a document handout
What do I do after the presentation is done? You can send a PDF to your audience, with or without a script.
---
https://ia.net/presenter-assets/presentation.png
size: contain
https://ia.net/presenter-assets/handout.png
size: contain
You can also export your presentation as an easily readable regular text document.
---
Faster Love
## Use existing text
If you have a structured Markdown text with images, all you need to do to create a presentation is paste the Markdown and add page breaks.
You can also just open your existing Markdown file. iA Presenter will ask you if you want to convert it to slides, and your speech will be almost ready:
---
https://ia.net/presenter-assets/add-media.png
size: contain
To add an image from the web, just paste the URL into the editor. You can do that with YouTube videos, too.
---
It's like a jungle!
## Okay, but this is way too much default text!
Youre right. Now that you know how it works, you can edit the default text under Preferences > General
---
https://ia.net/presenter-assets/preferences.png
size: contain
y: top
There are more settings there. Check out the Help section for the 999 features we already have before asking for more.
---
Goosebumps
## Now go and make nice things
And send us your presentations. We love to see what you do with it.

BIN
Corpus/Standards/NIS 2/iA example.iapresenter/thumb.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7 KiB