The long-awaited Dutch implementation of the European NIS2 legislation is available in draft. Although the elaboration of the proposed 'Cybersecurity Law' is less specific on several important topics than the European directive, the key message is clear: many organizations and their partners must seriously address security and take measures to demonstrate compliance.
As is often the case with the introduction of new legislation, there is a lot of emphasis on fear, uncertainty, and doubt. Coercive measures such as fines, suspending directors, or revoking licenses are being mentioned. Moreover, it seems as if the state of security in the Netherlands is deplorable. But is that really the case? If we approach the introduction of the Cybersecurity Law-to-be from a different perspective, without fear, stress, and panic, we see less reason to go into a frenzy. There is still a fair amount of time and plenty to fall back on. This doesn't underestimate the impact of the new law, but we argue for a more nuanced approach for five reasons.
Legislation is definitely not the only driver for promoting security
Many organizations covered by the NIS2 directive are already continuously working to promote security. Not only driven by business interests, but also by intrinsic motivation to contribute to a safer society. Furthermore, even without this law, there are quite a few factors that require companies to have their security in order. Think, for example, of discipline within the supply chain where requirements are set in terms of security as a condition for collaboration or transaction.
Many organizations don't start from scratch
Some of the organizations subject to NIS2 were already subject to the ‘initial release’ of the directive and thus already have a firm foundation. There are also companies that must comply with specific security standards just to operate in their sector. So, there is already a 'security track record' with which most organizations do not start from scratch. Furthermore, you also see that measures mentioned in the European version of the directive are at the basic hygiene level and have already been implemented in many organizations.
The Netherlands is relatively mature in the field of security
Following on from the previous point, the panicky tone often adopted in contributions about NIS2 does not do justice to all the activities that have been initiated by the government in recent years to increase societal resilience. The Netherlands is relatively mature in the field of security. There is also a lot happening in terms of public-private cooperation, as well as within the sector, between companies that are in principle competitors. Consider, for example, Project Melissa, where the Public Prosecution Service, the police, the National Cyber Security Centre (NCSC), Cybersecurity Netherlands, and various private parties collaborate to combat ransomware and other manifestations of cyber crime.
Supervision and enforcement are not immediately in order
Enforcement and the prevention of fines should not be the main reasons for ensuring that your security is in order. However, the reporting on NIS2 does evoke memories of the panic that surrounded the introduction of the GDPR privacy law. In that case as well, experts were scrambling to urge companies to take action because otherwise, there was a risk of hefty fines. Ultimately, the implementation of the law turned out to be less severe. It took over two years for supervision and enforcement to be in order. After all, setting up a law and all its associated processes takes time. Although you can see a clear structure for the administrative and operational aspects of the NIS2 legislation in the Dutch implementation, including a national oversight, enforcement, and response system, it also takes time here before everything is implemented properly.
Implementation of the Dutch law has been postponed
Netherlands will not meet the planned European implementation date of October 17th. It is expected to come into effect locally in the second or third quarter of 2025. This seems to reduce the urgency. However, there is a caveat for companies that are less mature in terms of security. They can use this time as an opportunity to get the basics right. Think, for example, of setting up detection and monitoring necessary to gain insight into incidents so that you can also make the required reports. Furthermore, given the European nature of the law, it is wise for Dutch companies with branches abroad to already assess what the obligations and rights are at the local level so that they can comply from October.
Although NIS2 certainly deserves attention, in the short term, the ball is mainly in the court of organizations that are less mature and those operating internationally. For other organizations that have been consciously focused on security for a long time, our advice is just ‘Keep calm and carry on’.