Self-Evaluation Tool for NIS2 Launched in the Netherlands

On October 18, the self-evaluation tool for NIS2 was launched in the Netherlands. Developed in close coordination with relevant ministries and regulators by the State Inspection Digital Infrastructure (RDI), this tool allows organizations to determine whether they fall under the NIS2 directive. It also clarifies whether the organization is considered ‘essential’ or ‘important’ for the functioning of society and/or the economy according to the NIS2 directive.

The self-evaluation tool can be found and accessed here.

What is NIS2?

The NIS2 directive, or the Directive on Security of Network and Information Systems 2, is a European Union initiative aimed at enhancing the cybersecurity posture of member states. It builds upon the original NIS directive and introduces additional measures to improve the overall resilience of critical infrastructure and essential services against cyber threats.

Here are key aspects of the NIS2 directive:

  1. Scope: NIS2 focuses on ensuring the security of network and information systems across various sectors, including energy, transportation, banking, financial market infrastructures, health, drinking water supply, and digital infrastructure.
  2. Risk Management and Incident Reporting: The directive requires operators of essential services (OES) and digital service providers (DSPs) to implement risk management practices and report significant incidents to the relevant national authorities.
  3. Incident Response and Cooperation: NIS2 emphasizes the importance of incident response capabilities. It encourages collaboration and information sharing among EU member states to effectively respond to and mitigate cybersecurity incidents.
  4. National Competent Authorities (NCAs): Each member state is required to designate one or more national competent authorities responsible for implementing and enforcing the NIS2 directive. These authorities play a key role in supervising compliance within their respective countries.
  5. Digital Service Providers (DSPs): The directive introduces specific obligations for DSPs, such as cloud computing services, online marketplaces, and search engines. DSPs are expected to take appropriate security measures and report incidents to competent authorities.
  6. Self-Evaluation Tool: As mentioned in the news article, the self-evaluation tool is designed to help organizations assess whether they fall under the NIS2 directive and to what extent they are considered essential or important for societal and economic functions.
  7. Preparation Period: Organizations have a transitional period to prepare for compliance with the NIS2 directive. The directive is expected to be transposed into national law by the end of 2024.
  8. Internet Consultation: The upcoming internet consultation mentioned in the news article provides organizations with an opportunity to offer feedback on the draft texts resulting from the NIS2 directive. This helps in refining the requirements and ensuring practicality.

In summary, the NIS2 directive represents a significant step in strengthening cybersecurity across critical sectors in the EU, fostering collaboration between member states, and establishing a framework for incident response and risk management in the digital era.

Why was the self-evaluation tool developed? The NIS2 directive is expected to be translated into national legislation by the end of 2024, which will apply to all organizations deemed ‘essential’ or ‘important’ according to the directive. This means these organizations have a year to prepare for the obligations of the upcoming legislation. Hence, RDI has developed the self-evaluation tool, enabling organizations to assess whether they will need to comply with the law when it comes into effect.

What other assistance is provided to businesses? Soon, an internet consultation will begin, allowing organizations to respond to the draft texts resulting from the NIS2 directive. This will provide organizations with more insight into what is expected of them when they need to comply with the law at the end of 2024. Once this internet consultation is formally announced, the Dutch government will also disclose actionable perspectives to help organizations prepare for the upcoming legislation.