richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/NIS 2 Cbw/NIS 2 Consultatie.md

22 KiB
Raw Blame History

tags
NIS2

AI generated reading guide for an information security consultant.

Drawing on the following sources:

  • Beleidskompas Cyberbeveiligingsbesluit.pdf
  • Concept ministeriële regeling uitwerking zorgplicht.pdf (consultatieversie)
  • Cyberbeveiligingsbesluit - amvb - consultatieversie.pdf
  • Cyberbeveiligingsbesluit nota van toelichting - consultatieversie.pdf
  • NIS2_NL.pdf

Designed to connect the duty of care ('zorgplicht') requirements stemming from the NIS2 Directive, as implemented in the Dutch Cyberbeveiligingswet (Cbw), to existing security frameworks, particularly ISO 27001 and ISO 27002.

Reading Guide: Connecting NIS2 Zorgplicht (NL) to ISO 27001/27002

This guide is designed for information security consultants working with entities that may fall under the scope of the Dutch implementation of the NIS2 Directive. It explains the key legal documents and how their requirements, specifically regarding the 'zorgplicht' (duty of care), align with established information security management frameworks like ISO 27001 and ISO 27002.

1. The Document Landscape: Understanding the Hierarchy

To understand the Dutch implementation of the NIS2 Directive and its requirements, it is essential to see how the different documents relate to each other:

  • The NIS2 Directive (Richtlijn (EU) 2022/2555): This is the foundational European Union directive. Its primary goal is to achieve a high common level of cybersecurity across the Union and improve the functioning of the internal market by addressing inconsistencies in previous national implementations (like under NIS1). It sets minimum requirements for cybersecurity risk management and reporting obligations for covered entities.
  • The Cyberbeveiligingswet (Cbw): This is the Dutch national law that implements the NIS2 Directive in the Netherlands. It lays down the fundamental obligations, including the 'zorgplicht' (duty of care) for essential and important entities. The Cbw is mentioned as the basis for subsequent legal texts.
  • The Cyberbeveiligingsbesluit (Cbb): This is a lower-level regulation ('Algemene Maatregel van Bestuur' - AMvB) that elaborates on the Cyberbeveiligingswet. It details specific requirements stemming from the Cbw, such as further defining the measures entities must take under the duty of care (articles 6 to 18 Cbb elaborate article 21 Cbw), designating the national CSIRT and vulnerability coordinator, setting rules for incident reporting and criteria for significant incidents (though criteria details are delegated), requiring registration in a national register, detailing board training requirements, and outlining supervision and enforcement powers. It also amends other Dutch laws to integrate the NIS2 requirements.
  • The Concept Ministeriële Regeling uitwerking zorgplicht: This is a draft ministerial regulation ('Ministeriële Regeling') that provides a further, more detailed elaboration of specific aspects of the duty of care as outlined in the Cyberbeveiligingsbesluit (specifically Chapter 4 of the draft Cbb). This level of regulation allows for sector-specific variations if needed. This document includes detailed requirements for policies, risk management procedures, business continuity plans, supply chain agreements, security in acquisition/development/maintenance, personnel security, access policies, and asset management.
  • Explanatory Memoranda (Nota van Toelichting): These documents accompany the Cbb and the draft ministerial regulation. They provide context, justification, and article-by-article explanations for the legal text. They clarify the intent behind specific requirements and how they relate to the NIS2 Directive and existing practices, including mentioning relevant standards.

In summary: The NIS2 Directive sets the overall European framework. The Cyberbeveiligingswet translates this into Dutch law. The Cyberbeveiligingsbesluit provides general implementing rules, and the Ministeriële Regeling (like the concept version provided) adds further detail, potentially with sector-specific nuances, to the duty of care obligations. The Explanatory Memoranda clarify the reasoning and specifics of the Cbb and the Ministerial Regulation.

2. The Duty of Care (Zorgplicht)

A central obligation for essential and important entities under the Cbw (implementing NIS2 Article 21) is the 'zorgplicht' (duty of care). This requires entities to implement appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of their network and information systems and to prevent or minimize the impact of incidents.

These measures must ensure a security level of network and information systems proportionate to the risks, taking into account the state of the art, relevant standards, and implementation costs. The proportionality assessment should consider the entity's risk exposure, size, and the potential severity of incidents, including societal and economic consequences. The approach must cover all hazards.

The Cbw (Article 21(3)) and Cbb (Articles 6-18) outline the minimum required measures. These include, but are not limited to:

  • Policy on risk analysis and security of information systems.
  • Incident handling.
  • Business continuity, including backup management, disaster recovery plans, and crisis management.
  • Supply chain security, focusing on security aspects of relationships with direct suppliers.
  • Security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
  • Policy and procedures to assess the effectiveness of cybersecurity risk management measures.
  • Basic cyber hygiene practices and cybersecurity training.
  • Policy and procedures on the use of cryptography and encryption.
  • Security aspects concerning personnel, access policy, and asset management.
  • Where appropriate, the use of multi-factor authentication, secure communications, and secure emergency communication systems.

The draft Ministerial Regulation further details many of these requirements. For example, it specifies procedures for risk management (including defining risk criteria, identifying risks and owners, analyzing, evaluating, and treating risks) and the required contents of a business continuity plan and backup procedures (including RTO/RPO, integrity/confidentiality/availability safeguards, testing).

Entities must have documented policy for many of these areas (e.g., network and information system security, risk management, incident handling, supply chain security, cryptography, personnel security, access policy, asset management). These policies must be demonstrably applied.

Furthermore, the management body (board) of essential and important entities must approve the risk management measures and oversee their implementation, and they can be held liable for breaches. Members of the management body are required to receive training to gain sufficient knowledge and skills to assess risks, risk management practices, and their impact.

3. Connecting to Existing Security Frameworks: ISO 27001 & ISO 27002

The NIS2 Directive and its Dutch implementation in the Cbw, Cbb, and subsequent Ministerial Regulations set forth a comprehensive set of requirements for managing cybersecurity risks. While they do not mandate a specific framework, the requirements align closely with the principles and controls found in widely recognized standards like ISO/IEC 27001 (Information security management systems - Requirements) and ISO/IEC 27002 (Information security controls).

Several points in the sources explicitly support this connection:

  • The explanatory memorandum for the Cbb states that an Information Security Management System (ISMS), such as the ISO 27000-series, can be used as a management system framework to demonstrate compliance with the duty of care requirements.
  • In the context of asset management, the explanatory memorandum for the draft Ministerial Regulation notes that the concept of "information and other related business assets" and classifying assets based on the impact on confidentiality, integrity, and availability is standard in ISO 27002.
  • Feedback from the SME panel, as reported in the Cbb explanatory memorandum, suggested using the ISO 27001 standard as a "kapstok" (framework) because many SMEs are already familiar with it. This highlights that industry stakeholders see ISO 27001 as a relevant approach to meeting the requirements.
  • The NIS2 Directive itself encourages the use of European and international standards and technical specifications relevant to network and information systems security. It mentions the ISO/IEC 27000 series in relation to the physical and environmental security aspects of the "all hazards" approach for risk management.

How ISO 27001/27002 can help meet NIS2/Cbw/Cbb requirements:

  • ISO 27001 provides a structured framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. Implementing an ISMS based on ISO 27001 can help entities meet the requirement for a management system for the security of their network and information systems, enabling demonstrable compliance. The risk assessment and treatment process central to ISO 27001 directly supports the NIS2/Cbw/Cbb requirements for risk management policy and procedures.
  • ISO 27002 provides detailed guidance on information security controls. The control areas in ISO 27002 correspond closely to the mandatory measures listed under the NIS2/Cbw/Cbb duty of care. For example:
    • Risk Management (ISO 27001 Annex A, ISO 27002 Theme 5): Directly supports the comprehensive risk management requirements.
    • Incident Management (ISO 27002 Theme 5): Corresponds to the incident handling requirements.
    • Business Continuity (ISO 27002 Theme 5): Aligns with the requirements for business continuity planning, backups, and crisis management.
    • Supply Chain Security (ISO 27002 Theme 5): Addresses the requirements for managing security risks with suppliers and service providers.
    • Acquisition, Development, and Maintenance (ISO 27002 Theme 8): Covers security requirements in system lifecycles, vulnerability management, and patching.
    • Effectiveness Assessment (ISO 27001 Clause 9, ISO 27002 Theme 5): Supports the requirement to assess the effectiveness of risk management measures.
    • Cyber Hygiene and Training (ISO 27002 Theme 8): Aligns with requirements for basic practices and personnel training/awareness.
    • Cryptography (ISO 27002 Theme 8): Addresses the policy requirements for using cryptography.
    • Personnel Security (ISO 27002 Theme 6): Covers requirements for assigning roles, responsibilities, and reliability checks.
    • Access Control (ISO 27002 Theme 8): Addresses policies and procedures for logical and physical access.
    • Asset Management (ISO 27002 Theme 5): Supports the requirements for identifying, classifying, and managing assets.

Using ISO 27001 as the framework and ISO 27002 for implementing controls can provide a structured and internationally recognized approach to meet the comprehensive duty of care requirements defined by the NIS2 Directive, the Cbw, the Cbb, and the detailed Ministerial Regulations. This approach can also help entities to demonstrably apply their security policies, as required.

4. Key Considerations for Consultants

  • Scope: Be aware of which entities are covered (essential, important, certain smaller entities). Note exclusions (e.g., certain government activities) and entities covered by EU Regulation 2024/2690 (for which Cbb articles 6-16 and 24 do not apply).
  • Risk-Based Approach & Proportionality: The legal framework explicitly mandates a risk-based approach and proportionality. Tailor security measures and ISMS implementation to the specific risks, size, and impact of the entity. The definition of risk criteria and risk acceptance is a key procedural requirement.
  • Documentation: Emphasize the requirement for written and demonstrable policies and procedures for various security aspects. An ISMS helps manage this documentation.
  • Governance & Training: Note the specific requirement for board approval and oversight of risk management measures, and the mandatory training for board members. This is a distinct requirement that needs to be addressed.
  • Incident Reporting: Understand the multi-stage reporting obligations for significant incidents. Voluntary reporting is also encouraged.
  • Supply Chain: The focus extends beyond direct suppliers, and entities must assess supplier security practices. The SME panel highlighted challenges for smaller suppliers.
  • Asset Management: The requirement for a complete and current inventory, including classification based on impact (CIA), is explicitly detailed and linked to ISO 27002 and business continuity.
  • Supervision & Enforcement: Be aware of the differentiated supervision regimes for essential (proactive and reactive) and important (reactive only) entities, and the potential enforcement measures, including administrative fines and, for essential entities in case of persistent non-compliance, temporary service suspensions or management prohibitions.
  • SME Support: Recognize the challenges for smaller entities (awareness, costs, complexity). Advise them on seeking government support (guides, tools, templates). Advocate for clear, proportional, and goal-oriented requirements where possible.
  • Interoperability and Standards: The legal framework encourages alignment with European and international standards. This reinforces the utility of using standards like ISO 27001/27002.

By using this guide and delving into the specifics of each document, a consultant can effectively navigate the Dutch NIS2 landscape, translate legal requirements into practical security measures, and leverage existing frameworks like ISO 27001/27002 to support their clients in achieving compliance and enhancing their digital resilience.

Literal references to standards and frameworks

ISO 27k family

Yes, the sources contain literal references to standards within the ISO 27000 series, including specific mentions of ISO 27001 and ISO 27002.

Here are the details from the sources:

  1. ISO 27000 series as an example of a management system:

    • The explanatory memorandum mentions that the Cyberbeveiligingsbesluit (Cbb) elaborates on the duty of care requirements for essential and important entities outlined in Article 21 of the Cyberbeveiligingswet (Cbw). Article 6, paragraph 4, of the Cbb requires entities to use a management system for the security of their network and information systems to demonstrate compliance. The purpose of this system is to make network and information security risks understandable, take measures to manage them, and adjust them as needed to reduce risks to an acceptable level in a structured manner. Examples of such a management system include an Information Security Management System (ISMS) such as the ISO 27000 series.

  2. ISO 27002 in the context of asset management:

    • The concept ministerial regulation detailing the duty of care mentions asset management, based on Article 16 of the Cbb. To determine security risks, essential and important entities need to know which network and information systems they possess and how these relate to their activities and services. In ISO 27002, this is referred to as 'information and other related assets', where assets are defined as anything of value to the business, excluding personnel and financial means, but potentially including specific licenses.
    • For proper protection of these assets, an up-to-date inventory is necessary, which must include a classification of assets based on security requirements. Customarily, this classification is based on the impact on business operations, which is the standard in ISO 27002, among other frameworks. The inventory should also indicate which processes the asset is used for, linking it to the business continuity plan, as the classification and impact of asset failure should be considered in that plan.

  3. SME panel suggestion regarding ISO 27001:

    • In the explanatory memorandum, feedback from a panel of SME entrepreneurs on the draft regulation is discussed. Regarding the duty of care, the panel found the requirement to take specific measures for network and information system security reasonable but questioned its feasibility and affordability for SMEs. The panel members suggested using the ISO 27001 standard as a framework ("kapstok") because many SMEs are already familiar with this standard framework ("normenkader"). They advocated for clear and proportionate requirements and for tailored approaches ("maatwerk").

These references indicate that standards like ISO 27001 and ISO 27002 are seen as relevant frameworks or examples for implementing the cyber resilience measures required by the Cyberbeveiligingswet and its underlying regulations.

Others

Yes, in addition to the literal references to ISO 27001 and ISO 27002 discussed previously, the sources also contain literal references to several other standards, frameworks, protocols, and EU legal acts that are relevant in the context of the Cyberbeveiligingswet (Cbw) and its underlying regulations, particularly the Cyberbeveiligingsbesluit (Cbb) and the concept ministerial regulation.

Here are some examples from the sources:

  • ISO 27000 series: Mentioned generally as an example of an Information Security Management System (ISMS) that essential and important entities can use to demonstrate compliance with the duty of care requirements. Physical and environmental security measures as part of cybersecurity risk management should be in accordance with European and international standards such as those in the ISO/IEC 27000 series.
  • EIC 62443: Mentioned as another example of a management system, specifically a Cyber Security Management System (CSMS), alongside the ISO 27000 series.
  • ISO/IEC 17788:2014: This standard is mentioned in the context of defining terms like "service and deployment models" for cloud computing.
  • ISO/IEC 30111 and ISO/IEC 29147: These international standards are referenced as providing guidelines for vulnerability response and disclosure.
  • European and international standards: General encouragement is given for entities to use relevant European and international standards and technical specifications for managing cybersecurity risks, and knowledge of these is required for qualified trainers. The Commission aims to follow these standards when preparing implementing acts.
  • Technical specifications: Mentioned alongside standards as relevant for cybersecurity risk management, and Enisa provides advice on these.
  • European cybersecurity certification schemes: Member states may require or encourage entities to use ICT products, services, or processes certified under these schemes, established under Verordening (EU) 2019/881 (the Cybersecurity Act).
  • Qualified trust services: Essential and important entities are encouraged to use these services, which are defined in Verordening (EU) nr. 910/2014 (eIDAS Regulation).
  • Zero trust principles: Listed as one of the basic practices in cyber hygiene that essential and important entities should apply. It can also be used as a starting point for the design and development of software, hardware, and services.
  • Security by design / security by default: Mentioned as principles that can be used as starting points for the development and implementation of software, hardware, and services, and their use for encryption is promoted.
  • Traffic light protocol (TLP): Referenced as an informal information sharing agreement used by CSIRTs and information sharing centers. It is explicitly mentioned as a relevant information sharing protocol for CSIRTs collaborating with third countries.
  • Plan-Do-Check-Act (PDCA) cycle: This iterative management method is mentioned as the basis for the management system for network and information system security.
  • Need-to-know principle, Least privilege principle, and Separation of duties: These principles are mentioned as considerations for assigning and using special access rights within an access policy.
  • Recovery time objective (RTO) and Recovery point objective (RPO): These English terms are provided as equivalents for "hersteltijden" and "herstelpunten" in the context of backup plans.
  • NACE Rev. 2: This classification of economic activities is used in Annex II of the NIS2 Directive to specify certain manufacturing sub-sectors that fall under its scope.
  • Other EU Legal Acts: Numerous other EU Regulations and Directives are referenced, particularly in the NIS2 Directive source, as they define the types of entities covered, establish related requirements, or interact with the NIS2 framework. Examples include:
    • Richtlijn (EU) 2022/2555 (the NIS2 Directive itself): The primary source, which is implemented by the Cbw and Cbb.
    • Verordening (EU) 2022/2554 (DORA): Mentioned as a sector-specific act for financial entities that applies instead of NIS2 for certain requirements. Cooperation between DORA and NIS2 authorities is foreseen.
    • Richtlijn (EU) 2022/2557 (CER Directive): Requires a coherent approach with NIS2, and critical entities under CER are considered essential entities under NIS2.
    • Verordening (EU) nr. 910/2014 (eIDAS Regulation): Relevant for trust service providers who fall under NIS2. Defines trust services.
    • Richtlijn (EU) 2018/1972 (European Electronic Communications Code): Relevant for providers of electronic communication networks and services who fall under NIS2. Defines related terms.
    • Verordening (EU) 2016/679 (GDPR): Applicable to the processing of personal data under NIS2.
    • Richtlijn 2002/58/EG (ePrivacy Directive): Applicable to certain processing of personal data.
    • Aanbeveling 2003/361/EG: Used to define enterprise sizes (micro, small, medium) which determines if entities fall under NIS2 scope or are classified as essential or important.
    • Frascati Manual 2015: Used for defining research organizations.

These references show that the regulatory framework established by the Cbw, Cbb, and the NIS2 Directive draws upon and interacts with a variety of existing standards, frameworks, and legal instruments.