logo-img
  • In trainingen zoeken...
  • No direct match found.
    Let AI search for a suitable alternative via Enter or the search button.
We are looking for the best courses for you…
All Trainings
All Trainings
  • In trainingen zoeken...
  • No direct match found.
    Let AI search for a suitable alternative via Enter or the search button.
We are looking for the best courses for you…
NL / EN

NIS2 Directive - Requirements and Trainings

With the approval of the NIS2 directive, an important European step has been taken towards more uniform cybersecurity. The aim of this directive, which still needs to be translated into Dutch legislation, is to ensure a higher level of common security of network and information systems across the EU and thus increase resilience against cyber threats.

Currently, we are still working in the Netherlands with the Act on the Security of Network and Information Systems (Wbni). Once the Dutch legislative proposal is approved, the Wbni will be repealed and the new rules of the NIS2 will apply to a wide range of organizations.

Please note that your organization may not have previously fallen under the Wbni, but will fall under the new Cybersecurity Act (Cbw). In that case, there is likely quite a bit of work to be done. But even if you already fall under the Wbni, a lot will change.

On this page, you will get a general overview of the requirements of the NIS2 and which training sessions can help you become compliant as quickly as possible.

Does my organization fall under the NIS2 directive or not?

A 100% conclusive answer can only be given once the Dutch law has been approved. In the meantime, the NIS2 (particularly in annexes I and II) does provide some clarity. Even as a supplier to a ‘NIS2 organization’, the impact is significant, even if you do not directly fall under the label of ‘essential’ or ‘important’ entity.

The Dutch government has developed a tool that allows you to conduct a self-assessment, you can find it here: https://regelhulpenvoorbedrijven.nl/NIS-2-NL/

Administrative liability

An important change with consequences is the managerial liability in the NIS2. The aim of this is to ensure that cybersecurity is prioritized at the highest level of organizations that fall under the NIS2 directive.

Executives of organizations are held personally responsible for compliance with the cybersecurity requirements set by the directive. This means that business leaders, such as CEOs and board members, must be proactively involved in the implementation and enforcement of adequate cybersecurity measures within their organization.

To comply with this, one of the requirements of NIS2 is that these executives are required to undergo training to (as NIS2 literally states):

“Acquire sufficient knowledge and skills to identify risks and assess risk management practices in the field of cybersecurity and their implications for the services provided by the entity.

TSTC has various solutions that help you meet this requirement. Often, customization in a training/workshop on-site is desired, where, for example, an entire management team is updated on information security, specific risks, measures, and handling incidents. Feel free to contact us to discuss the possibilities.

Cbw/NIS2 Governance for Executives

An example of such an in-company training is the training Cbw/NIS2 Governance for Executives that can be provided in a half-day session on-site or online. With this training, you fundamentally align with the mentioned NIS2 requirement that every member of the board of organizations falling under the directive must undergo targeted training on cybersecurity.

Managing NIS2 - CNIS2

Through our open schedule, you can also take the 2-day training Managing NIS2 - Certified NIS2 Professional (CNIS2), where you will become extensively familiar with the NIS2 and all associated requirements. This training concludes with a guided GAP analysis that provides insight into where further action needs to be taken.

NIS2 Lead Implementer

The same applies to the more extensive 5-day NIS2 Lead Implementer training, which is less suitable for executives but helps security managers and professionals with the actual implementation of the established requirements.

Obligations

The NIS2 directive prescribes four obligations:

  • Registration obligation

  • Duty of care

  • Reporting obligation

  • Supervision

In particular, the Duty of care and Reporting obligation contain requirements where our training can assist you.

Duty of care

Essentiële en belangrijke entiteiten moeten maatregelen nemen om hun netwerk- en informatiesystemen tegen incidenten te beschermen. Hetzelfde geldt voor de fysieke omgeving waarin de systemen zich bevinden. Hieronder volgen een aantal maatregelen en bijpassende trainingen:

1. Een risicoanalyse en beveiliging van informatiesystemen

> ISO 27005 Certified Risk Manager 
> ISO 27001 Lead Implementer 
> Certified BIO Professional - Foundation 
> Certified BIO Professional - Practitioner ​​​
> CRISC - Certified in Risk and Information System Control 

2. (Beleid en procedures over) incidentenbehandeling

> ECIH - Certified Incident Handler 
> CSA - Certified SOC Analyst 
> CISM - Certified Information Security Manager 
> CCISO - Certified Chief Information Security Officer 

3. Maatregelen op het gebied van bedrijfscontinuïteit, zoals back-upbeheer en noodvoorzieningenplannen

> EDRP inclusief ISO 22301 
> CCISO - Certified Chief Information Security Officer 

4. Security of the supply chain

> CSSLP - Certified Secure Software Lifecycle Professional 
> CCSP - Certified Cloud Security Professional 
> CCISO - Certified Chief Information Security Officer 

5. Security when processing, developing, and maintaining network and information systems, including response to and disclosure of vulnerabilities

> Security+ 
> CISSP 
> ECIH - Certified Incident Handler 
> CND - Certified Network Defender 

6. Policies and procedures to assess the effectiveness of controls for cybersecurity risks

> CISM - Certified Information Security Manager

> CCISO - Certified Chief Information Security Officer

> Lead Cybersecurity Manager

7. Basic cyber hygiene and training in cybersecurity

> Cyber & IT Security Foundation

> Certified Ethical Hacker (CEH)

> CCISO - Certified Chief Information Security Officer

> Awareness solutions

8. Policies and procedures regarding the use of cryptography and encryption

> ECES - Certified Encryption Specialist

9. Security aspects related to personnel, access policies, and asset management

> CCISO - Certified Chief Information Security Officer

10. The use of multi-factor authentication, secure voice, video, and text communication, and secure emergency communication systems within the entity.

> CND - Certified Network Defender

Reporting obligation

  

De NIS2-richtlijn schrijft voor dat entiteiten incidenten binnen 24 uur moeten melden bij de toezichthouder. Het gaat om incidenten die de verlening van de essentiële dienst aanzienlijk (kunnen) verstoren. Hier vloeien een aantal verantwoordelijkheden uit voort die te maken hebben met incident management/handling en monitoring processen:

1. Monitoring - are incidents detected?

> CSA - Certified SOC Analyst 

> CySA+ - CompTIA CyberSecurity Analyst 

2. Incident Management / Handling - is there a plan in place for how to act in case of incidents?

> ECIH - Certified Incident Handler 

3. Threat Intelligence - being aware of new threats, knowing what to be alert for

CTIA - Certified Threat Intelligence Analyst 

4. Pentesting - preventing incidents

> CEH - Certified Ethical Hacker 
> OSCP - OffSec Certified Professional 
CPENT - Certified Penetration Testing Professional  
(Web)Application Security Assessment (WASA) - based on OWASP Testing Guide 

Generic training sessions

We advise you in all cases to start with one of the previously mentioned, specific NIS2 trainings. Since there are often multiple roles involved with the directive, it can be beneficial to attend a training together with colleagues so that everyone is on the same page afterwards.

Another strategy could be to have employees follow different trainings depending on their role, so that the right knowledge reaches the right places.

Cbw/NIS2 Governance for Directors (incompany) 
> CNIS2 - Certified NIS2 Professional / Managing NIS2 
> NIS2 Lead Implementer 

Registration requirement

The registration requirement applies to organizations in critical sectors to gain insight into digital resilience and to come under supervision.

Organizations that fall under the Cybersecurity Act are required to register data in the entities register. In the Netherlands, this is done at the National Cyber Security Centre (NCSC) at mijn.ncsc.nl. After registration, Cbw organizations gain access to the services of the relevant sectoral CSIRT.

Since all member states of the European Union must have such a register, this also provides a European overview of the number of entities under the NIS2 directive.

Supervision

NIS2 supervision in the Netherlands is being tightened and significantly expanded through the new Cybersecurity Act. Essential entities will receive proactive supervision, while important entities will be monitored reactively (in case of incidents). Supervisors will check for duty of care, reporting obligation (within 24 hours), and registration obligation.