Long gone are the days when only IT was responsible for cyber security. It not only affects the entire organization, but also requires a cross-border approach that aligns the cybersecurity strategy of all companies. Europe is therefore working on a series of directives that will have a serious impact on every company over the next two years.

The fact that cybersecurity is a concern for organizations is clear from the latest Beltug Priorities Compass. Six of the top ten priorities of Belgian ICT decision makers relate to security. Data management and data protection are particularly important challenges. Although working digitally has become a must everywhere, we should not be blind to the risks involved. Who has access to which data? And are you sure that former employees can no longer access critical data?

Furthermore, cybersecurity is not limited to what happens within the digital perimeter of your own organization. Maybe your company uses software from vendors and then you need to be sure that these external parties take security seriously enough. Cyber ​​criminals are so well organized today that we can only counter them with an overarching strategy. And of course we look to the European Union for this. At the moment there are three initiatives in the pipeline that your company will soon have to deal with directly or indirectly.

NIS2

NIS2 is the successor to the first NIS law that has been in force in national Belgian law since 2019. The directive obliges EU member states to cooperate on cybersecurity, as this is having an increasing impact on the European economy and society. While the original law in our country applies to about a hundred companies with critical activities, the scope of NIS2 is extended to no fewer than 2,000 organizations. And many of these companies are not yet aware of this.

The sectors considered essential in the directive are: energy, transport, banking, financial infrastructure, healthcare, drinking water distribution, wastewater treatment, aerospace, government and digital infrastructure. In addition, there will also be less stringent measures for companies in other sectors, ranging from courier services to food producers and digital providers. Belgium still has 21 months to transpose this new directive into law. All companies involved must therefore comply with them by the end of 2024.

How is NIS2 different from its predecessor? Organizations must report a cyber incident and even a threat within 24 hours. In addition, the directive forces companies to sit down at the table with suppliers. Finally, we are increasingly seeing cybercriminals manage to enter an organization’s network through a partner’s backdoor. Don’t ignore NIS2 because the fines aren’t delicate. And in the end, the guide pursues a noble goal: a safer digital world in which your organization can grow carefree.

Cyber ​​Security Act & Cyber ​​Resilience Act

Even if NIS2 doesn’t apply to your organization, there are two other initiatives to consider. The Cybersecurity Act aims to create a certification framework for security in the EU. Compare it to the heavily regulated auto sector. When you buy a new car, assume that the airbag or other protection systems are working properly. Similarly, many companies buy software without asking their vendors about security. Conversely, it is impossible for software developers to find out what cybersecurity rules apply in each country. This legislation will allow organizations in the EU to certify their ICT products and services with an EU-wide recognized certificate all at once.

The Cyber ​​Resilience Act is another bill aimed at securing products with digital elements – such as IoT devices – at the design and development stage. After all, even toys can be networked today. For the time being, this law is even less specific than the other two initiatives.

How do you prepare?

Cyber ​​security is important to everyone. So don’t wait for the above laws or until you become a victim of a cyber attack yourself. You are not alone as organizations like the Center for Cybersecurity Belgium (CCB) will surely help businesses.

In any case, make sure that the board is already involved in the cybersecurity story. After all, you can’t develop a strategy without a budget. This is still a problem in many organizations today, mainly because the board finds the topic too technical. Therefore, do a translation and do not overwhelm your management with difficult terms. Instead, explain what a risk is, what it takes to fix it, and how much it would cost if the risk resulted in a cyberattack.

Cybersecurity Europe

In a world where many companies operate internationally, the patchwork of local laws is no longer sufficient. Technology transcends national borders, which is why we need to create a strong European framework. Trade fairs like Cybersec Europe are therefore important moments of mutual fertilization. Only by sharing knowledge and working together can we lay the foundations for a safe and prosperous cyber society.

This is a contribution from Danielle Jacobs, CEO Beltug, Association of CIOs and ICT Decision Makers. Beltug is one of the partners of Cybersec Europe 2023, which take place on April 19th and 20th.