The new European directive NIS2 imposes essential and important entities diverse measures regarding cybersecurity. As the CIO of such an organisation, this will give you important responsibilities. Moreover, you can be held personally accountable if your organisation fails to comply with the NIS2 directive. What exactly is that about?
Your responsibilities as CIO
NIS2 imposes a series of obligations on board members and executives, including CIOs. This adds the following responsibilities for you as CIO:
- Knowing the requirements of NIS2
The government does not actively communicate to organisations affected by the NIS2 directive. It is your responsibility as CIO to research the obligations for your organisation and take appropriate steps to comply with the directive. Therefore, read the NIS2 Directive thoroughly to understand the requirements and objectives, and consult experts if necessary. Also follow closely any changes to the legislation, such as transposition into Belgian law. After all, you are responsible for ensuring that your organisation's security practices comply with the latest standards when changes occur.
- Identifying and addressing risks
NIS2 requires you to take appropriate and proportionate technical, operational and organisational measures to manage risks. This starts with mapping your IT environment so that you understand the assets, services, users, applications and devices involved. Next, identify potential risks, vulnerabilities and threats with a security audit. A specialised IT partner can support you in this. Assess the severity of the risks found for all network and information systems within your organisation. Based on this, draw up a prioritised action plan. Then tackle the risks, starting with those that have the most impact.
- Monitoring risk management measures
As CIO, it is not sufficient to approve cybersecurity risk management measures. NIS2 also requires you to monitor the implementation of these measures. You must establish policies and procedures to assess the effectiveness of the measures taken. Moreover, you should not limit yourself to a one-off risk analysis. Your network environment changes, circumstances change and potential threats also evolve. Therefore, update your risk analysis every six months to stay in line with the NIS2 directive. It would be beneficial to use the services of a Managed Service Provider for this, as they can do this for you on a continuous basis.
- Following training courses
You should attend relevant training courses. These should enable you to identify risks and assess cybersecurity risk management practices. After all, risk management is a key focus area of NIS2, and you need to be skilled in that as a CIO.
- Raising employee awareness
NIS2 requires you to offer similar training to all employees, of course with a different focus, adapted to their work. After all, security is a shared responsibility of everyone. According to Verizon's 2023 Data Breach Investigations Report, 74% of all data breaches involve a user. This may involve human error, misuse of stolen login credentials or social engineering. By increasing the vigilance of your employees, it is possible to stop many attacks and prevent incidents. You should therefore also set up awareness campaigns aimed at all employees, such as our managed security awareness training courses. That way, they become more aware of the responsibility they carry and are able to recognise security risks.
What if you fail to comply with the NIS2 directive?
Breaches of NIS2 obligations can result in fines for your organisation. But for board members and executives, including CIOs, failure to comply with the NIS2 directive is not without consequences either.
- Personal liability
If, as CIO, you fail in your responsibilities to make your organisation comply with NIS2, the Centre for Cybersecurity Belgium (CCB) could hold you personally accountable for violating the rules. This may have legal and financial consequences for yourself. If you are found to have been negligent or to have taken insufficient measures to manage cyber security risks, you could face fines or other penalties.
- Prohibition on executive function
The CCB, as the national authority overseeing compliance with NIS2, can impose another sanction on CIOs who fail to fulfil their responsibilities. Namely, you may be temporarily banned from holding any more leadership positions within your organisation.
Conclusion: NIS2 is a great responsibility
The European cybersecurity directive imposes very concrete obligations on organisations, for which you as a CIO are responsible. If you are negligent or take insufficient measures to manage cybersecurity risks in your organisation, the national authority can hold you personally accountable and temporarily prohibit you from performing any more managerial functions within your organisation. Therefore, it is very important to take an active role in NIS2 compliance and take your responsibility.