Is your company ready for stringent cybersecurity requirements? The NIS2 is coming
In the Cracked by Jordens series, we look at cyber security for consumers and businesses in the Netherlands. Today: a stricter European regulation, the NIS2.
Published on February 6, 2025
Everything new is wildly interesting! That's the motto of our DATA+ expert, Elcke Vels. She writes stories about AI and how it affects our society, has a series on cyber security, and interviews Dutch innovation maestros. In her “What if...” column, she also explores intriguing scenarios that deviate from the status quo.
The European NIS2, a law that imposes stricter cybersecurity requirements on essential organizations, will take effect next year. But acting now is essential, says cybersecurity expert Patrick Jordens. He is director of Trusted Third Party (TT3P): a Dutch company specializing in cybersecurity. We spoke with him about the new directive and its implications for companies and organizations.
Patrick Jordens
Patrick Jordens (b. 1969) is an entrepreneur with a heart for digital security. He is the director of the Trusted Third Party and the founder of DMCC Group, which helps organizations comply with all external laws and regulations and internal policies in the field of privacy and consumer law. He is also a guest lecturer in marketing, data privacy and ethics at the Hogeschool van Rotterdam.
What exactly does the new cyber law, NIS2, entail?
“Starting in 2025, the Network and Information Security Directive, or NIS2 Directive, sets requirements for digital security for socially critical and important organizations. Think of energy and water companies, government agencies, and the food sector. These include more stringent security requirements. They must establish policies, implement measures and make sure they work properly. This means, for example, regularly training employees in cyber awareness.
To better coordinate approaches against cyber threats, it becomes mandatory to report cyber incidents quickly. If an attack occurs, it must be reported to the National Cyber Security Center within a certain amount of time. Organizations must also ensure that their suppliers operate securely. If an NIS2 organization outsources its IT, the outside party must also comply with NIS2 requirements. Another important change is that, in addition to being able to fine the organization, directors can also be held personally liable if they neglect cybersecurity. They can be fined privately.”
Are you confident that this directive will improve Dutch cybersecurity?
“NIS2 is not a panacea, but it is a step in the right direction. It ensures that critical agencies are better protected against cyber attacks. Some sectors, such as energy companies, already had strict legislation in place. But for courier services, postal services, supermarkets, wholesale fruit and vegetables, and vegetable growers, this is new. However, I do doubt that the market will get it done in time. There are too few organizations that have a real handle on their cybersecurity right now. If you look, for example, at the recent hack at the police department in which the names of 65,000 officers were leaked, this is astonishing. If an organization with unlimited budget already makes such a blunder, it can happen to SMEs as well. Planning security, creating and implementing policies and training people properly and regularly checking that security is in order is essential.”
Important regulations on cybersecurity already existed. So what does a new directive add?
“Yes, there were already laws such as the AVG, which protects personal data, or the NIS: the precursor to the new directive. But NIS2 goes further and applies to many more organizations. Digital security is no longer an option but an obligation. What makes NIS2 truly unique, I think, is the introduction of board liability. It is notable that directors can not only be fined, but can also be banned from working. We already know this for fraud and the Unfair Trade Practices Act, but for cybersecurity this is new. The fact that directors will now be held personally responsible highlights the seriousness of hacks. Cyber attacks can have devastating consequences, and with NIS2 we are taking an important step to reduce this risk.”
Negotiating with a hacker: how do you do it?
In the Cracked by Jordens series, we look at the cybersecurity of consumers and businesses in the Netherlands. Today: the attack on the TU/e, and how cybersecurity experts often act during such an attack.