What is the similarity between a WWII tank and cybersecurity? More than you would think, according to Groothuis. “During the Second World War, the British were very concerned about the advance of German tanks. They couldn’t bombard the tank factories, which were well-protected by anti-aircraft artillery. The British came up with a clever solution. They attacked the ball bearing factories. You see, without ball bearings, a tank cannot roll.”
Attacking the chain
The British attacked the chain. And that is exactly what cybercriminals are currently doing in Europe. “Many cybercriminals who target major companies start by attacking smaller companies, that are connected to these larger companies”, Groothuis explains. The ball bearing factories, as it were. “These attacks indirectly affect the chain in a major way.” Small companies often provide important services to larger companies.
To protect large and smaller companies against cybercrime, Groothuis and other European politicians are working on a new cybersecurity regulation: the NIS 2. What does the NIS 2 mean for SMEs in the Netherlands?
What type of regulation is the NIS 2?
“NIS stands for network and information systems. We currently have NIS 1 in Europe, a regulation for essential companies, such as telecommunications or water providers. NIS 2 will raise the bar for cybersecurity across Europe, designating more organisations as essential businesses. We are talking about some 160,000 organisations across Europe. Companies will have to meet higher standards, and will receive more help from their government, for instance when they are hit by an attack.”
And yes, there will be fines. “We would prefer not to impose fines. But if an official is demonstrably negligent, and has been warned time and again, we want to be able to bite, not just bark. That is new. For the first time, we are turning cybersecurity into what the Germans call a ‘Chefsache’, not a matter to be left to your IT supervisor, but one you as a manager need to take responsibility for.”
Why is the new regulation necessary?
The first reason: cyber criminals are coming up with new ways to attack organisations at rocket speed. “The technological developments are extremely fast. NIS 1 has been in effect for 3 years, and it is outdated. Also, not every member state is meticulous about its application. If you do business with several European countries, you come across different rules in each country. That doesn’t work. We have to level the rules, so that we all move in the same direction.”
A second reason for the new regulation: cybercrime is on the rise. “We are experiencing a ransomware pandemic. In 2019, cybercrime reports doubled in the Netherlands alone. According to the FBI, the number of ransomware attacks tripled worldwide in 2020. During the corona pandemic, we took measures to take some of the pressure away from caregivers. We want to achieve the same effect with this legislation. The police and the justice department risk being overwhelmed. We have to work on our security measures, to lower the number of ransomware attacks.”
Will SMEs also have to deal with NIS2?
Companies with under 50 employees and a turnover of less than 10 million euros will not be affected by NIS 2, in most cases. But there are exceptions. “Every company that provides an essential service to consumers will have to comply with NIS 2. That means small service providers as well. We are still working on the precise definition of ‘essential’.” Internet service providers, small factories, water or energy providers: these are the types of business that Groothuis expects will be earmarked as essential.
How will the regulation work?
“The European Parliament does not want to implement an impossible regulation, causing huge costs for small businesses. That’s why SME companies are mostly exempt from the regulation”, says Groothuis. So, most SMEs will not be affected by NIS 2. Unless yours is an essential service. If you provide an essential service, you need certain certificates, and you will be visited by a supervisory body more often. “That is important, because the IT landscape for essential service providers is constantly changing. The security systems must stay up to date.”
Even if NIS 2 does not apply to your company, it does not mean that you don’t have to work on security, warns Groothuis. “The issue is not whether you are a part of a vital infrastructure. The issue is: do ransomware hackers think you are vital enough to fit their business model? Cybersecurity matters, for all entrepreneurs. Data leaks can spring up at every company, and at any time. As an entrepreneur, you are always responsible for the personal data you store.”
When will the regulation come into effect in the Netherlands?
“If all goes well, we will have an agreement in Brussels in the first quarter of 2022, making the European guidelines official. After that, the European member states have to implement regulations within 18 months. So it may take a while yet. The Netherlands are usually pretty fast. I expect it will be 2022 or 2023 before Dutch entrepreneurs to whom this regulation applies will have to deal with it.”
Here’s what you can do
The NIS 2 is mainly about preventing cybercrime. What can businesses do to protect themselves now? “I have come across many cybercrime victims who had no backups, did not log their servers’ activities, and had not implemented multifactor authentication. Those companies are in trouble.” Groothuis gives 3 pieces of advice.
- Configure your systems to register who is present in the system, and when. That way, you can spot a hacker much earlier.
- Make good backups. “If you meet all the rules and requirements, it doesn’t mean you cannot be hacked. But if you are hacked, and you have made provisions for backups and logging , you can at least pick up the pace without too much delay.”
- Implement multifactor authentication for your accounts. “It will scare off most hackers, even if they have managed to hack your systems.”
About Bart Groothuis
Member of the European Parliament
Bart Groothuis (1981) has been a member of the European Parliament on behalf of the VVD (People's Party for Freedom and Democracy) since February 2020. He has been appointed rapporteur for the European cybersecurity regulation NIB. From 2014 to 2020, he was head of the Cybersecurity Bureau at the Dutch Ministry of Defence.
Quote: “Europe is gripped by a ransomware pandemic. I will do what I can to stop it.”