With the implementation of the NIS2 Directive, the European Union is taking an important step towards strengthening cybersecurity for all European companies.

Companies subject to NIS2 legislation must meet stricter risk management, incident reporting and supply chain security requirements. How does such legislation get into a company, why is Belgium one of the first countries to transpose the directive into law, and what role does the CCB (Center for Cybersecurity Belgium) play in this?

We direct our questions to Niels Hofmans, Head of Security and IT at Intigriti. Intigriti is a bug bounty platform that connects ethical hackers with companies, and he sees this new policy not only as a commitment, but also as an opportunity to increase transparency and trust.

Belgium is at the top

With NIS2, Belgium has shown that it has serious cybersecurity ambitions. The CCB was very important in the speed with which the guidelines were translated into law. “Our country is one of the first countries to fully comply with the implementation of NIS2,” says Hofmans. “A big compliment to the CCB. The communication and information channels they have established have ensured that Belgium is among the leaders of NIS2 in the world.”

It is critical for Intigriti and other bug bounty companies to show customers that their data is in safe hands. “We have a great responsibility towards our customers,” says Hofmans. “If there is any doubt about how we handle their most important data, we are doing it wrong.”

This makes NIS2 a valuable basis for strengthening corporate security. “It goes beyond ISO certifications. NIS2 provides a more in-depth framework that contributes to better risk management.”

In addition, the directive requires companies to take a closer look at their suppliers. “There were no supply chain requirements for NIS1,” explains Hofmans. “This is now becoming a growing risk. Why should we impose strict requirements on ourselves if we do not impose them on our suppliers? After all, they are part of the company.”

From NIS1 to NIS2: What changes?

The transition from NIS1 to NIS2 brings big changes. Hofmans sees important progress in the increased focus on responsibility. “The accountability will be addressed much more harshly, ensuring we will see a noticeable difference in cybersecurity.”

The obligation to report incidents to the CCB is also becoming more important. If a company falls victim to a significant cyber attack, it must be reported to the Belgian CERT within 24 hours. A more detailed report should follow within 72 hours. After one month, a final, complete report must follow with a description, causes and further steps. “This reporting helps uncover vulnerabilities and provides a good foundation for further development.” It keeps us on our toes.”

“NIS2 provides us with a more in-depth framework to help us manage risk.”

Niels Hofmans

Another important aspect is the expansion of the cyber foundation framework, which helps companies protect data and reduce the risk of the most common cyber attacks. “When a company comes to us, we can immediately refer to Cyber ​​Fundamentals 2.0,” says Hofmans.

What challenges still lie ahead of us?

Although the benefits of NIS2 are obvious, organizations still face challenges. “There are still many companies that are not concerned about the directive,” warns Hofmans. However, the consequences of non-compliance are significant. “Sanctions can lead to the dismissal of managers or fines of up to ten million euros. That goes a long way.”

Hofmans also mentions some sore points: “Perhaps they could have focused more on official NIS2 communications with companies instead of just reporting on social media.”

He also talks about companies that have not previously been involved in NIS2. “We will see issues with companies just starting to comply with NIS2. There are many companies that now qualify for NIS2 but have never done so or documented anything. That’s a tough apple to bite through.”

It is clear that the NIS2 legislation has a positive impact on both cybersecurity platforms and other sectors. There are still some challenges for companies just entering the funding phase, but these are not insurmountable. The CCB must continue to work proactively and keep the policies and framework up to date.