NIS2 duty of care further elaborated

NIS2 requirements further elaborated

In the Cyberbeveiligngsbesluit (Cbb) various requirements from NIS2 (Cybersecuritywet) are further elaborated. This mainly concerns the duty of care. Which measures will become mandatory? It is still a proposal offered for consultation, but it gives a good idea of ​​the direction it is going.

Duty of care

Entities in scope are required to implement the measures (Articles 6 to 18 of the Cbb). The Cybersecuritywet (the Dutch implementation of NIS2) lists 10 measures that must be present as a minimum. These are now further elaborated in the Cybersecuritybesluit. A number of topics stand out:

• Focus on formally establishing policy and procedures. In addition organizations must be able to evidence the implementation of the policies, in order for supervision to be possible;
• Security monitoring: the Cbb has requirements for security logging, monitoring and incident response. Although the Cbb uses the term "procedures", effective security monitoring (SIEM) is practically impossible in a manual way. In practice, this will mean that NIS2 organizations will have to purchase a security monitoring service in order to meet the requirements. This is also acknowledge in the explanatory memorandum (security monitoring can be outsourced). It is recommended to purchase a security monitoring service from an independent party (and not as an additional service from the existing IT supplier, for example);
• ISMS: organizations must implement a management system to manage security measures. The format is not prescribed, so this can be in Excel, or in a special GRC system depending on the complexity and size of the organization;
• Periodic testing: Periodic testing covers various components, such as testing of backup restores, business continuity plans and crisis management scenarios;
• Suppliers: the requirements for direct suppliers have been further elaborated, including contractual agreements with suppliers regarding cyber security (where possible) and ensuring that suppliers adhere to these agreements; Suppliers of ICT services must be able to provide evidence of their compliance with cybersecurity requirements;
• IT does not exist in isolation: IT risks are not separate from other risks, and should therefore be seen as part of a broad risk management approach. This is also recommended for e.g. Business Continuity Management and Supplier Management. Do not only consider the impact on IT and IT suppliers, but look at all risks that can have an impact on your business operations;
• PAM - Privileged Access Management: the ministerial regulation describes "special access rights that are granted to users on the basis of necessity and per event". This is based on Privileged Access Management.

‍

Suppliers of ICT services must be able to provide evidence of their compliance with cybersecurity requirements

Boardroom training

Next to the duty of care requirements, the Cbb also gives more details about the boardroom training. In addition to requirements on the content of the training, the cbb states the trainer has to be independent. Independent means that the training cannot be given by the own CISO / information security officer. The CISO can be present at the training, to provide context of the organization.
‍

The trainer of the boardroom training is independent, this means that the CISO cannot give the training, but he/she can be present to provide context.

‍

Scope

The Cbb applies to all entities that fall under NIS2, with the following exceptions (the "IT Sectors"). A separate document has been drawn up for these companies under EU regulation 2024/2690:

• Digital infrastructure (DNS, TLD registries, cloud services, data center services, CDNs and trust service providers);
• Managed services (managed ICT services and managed security services);
• Digital providers (marketplaces, search engines and social networks).

The exception is specifically for the duty of care (Articles 6 to 16) and the criteria for significant incidents (Article 24). The other articles are therefore still applicable (such as the requirements for directors / boardroom training).

For a number of sectors, more detailed regulations already exist (which for the most part correspond or are more extensive than the Cbb). However, the Cbb sill applies to these sectors. It is therefore up to the organization itself to assess whether their current implementation complies with the Cbb. The Cbb also leaves the possibility to individual ministries / governement departments to come up with additional rules later, for a sector, subsector or type of entity.