Terug naar overzicht
Blog

The Duty of Care of the NIS 2.0 guideline: what you need to know

The duty of care under the NIS2 directive is an essential step towards better digital resilience; in this article, you will discover what this obligation entails and how your organisation can comply with it.
Door: Michel Holtkamp
IT Security
Previder Arrow
E-book 'in four steps to good information security'

In our previous article, we discussed the NIS2 Directive's registration obligation. In this blog, we focus on another crucial obligation: the duty of care. This obligation is designed to strengthen organisations' digital resilience and help them protect their network and information systems from incidents. If you missed our previous article, you can read it back here.

What does the duty of care entail?

The duty of care under the NIS2 Directive requires organisations to take appropriate and proportionate measures to secure their network and information systems. This means that organisations must act proactively to identify and mitigate risks. The duty of care includes both technical and organisational measures, such as:

  1. Risk assessment: Organisations should conduct regular risk analyses to identify potential threats and vulnerabilities. These analyses form the basis for taking appropriate security measures.
  2. Security measures: Based on the risk assessment, organisations should implement measures to ensure service continuity and protect their information. These can range from installing firewalls and antivirus software to training staff in cybersecurity awareness.
  3. Incident management: Organisations should have procedures for detecting, reporting and responding to security incidents. This includes creating an incident response plan and testing these procedures regularly.
  4. Physical security: In addition to digital security, organisations should also ensure the physical security of their IT infrastructure. This may include securing server rooms against unauthorised access and taking measures to prevent physical damage.

Why is the duty of care important?

Duty of care is essential because it forces organisations to take a proactive stance on cybersecurity. Instead of reacting to incidents after they occur, the duty of care encourages organisations to take preventive measures. This helps not only to reduce the likelihood of incidents, but also to minimise the impact of any incidents.

How can organisations comply with the duty of care?

To comply with the duty of care, organisations can take the following steps:

  1. Conduct regular risk assessments: Identify and evaluate potential threats and vulnerabilities in your network and information systems.
  2. Implement security measures: Based on the risk analysis, take appropriate technical and organisational measures to protect your systems.
  3. Establish an incident response plan: Make sure you have procedures for detecting, reporting and responding to security incidents.
  4. Secure your physical infrastructure: Ensure you have adequate physical security measures in place to protect your IT infrastructure.
  5. Train your staff: Make sure your employees are aware of cybersecurity risks and know how to respond to incidents.
  6. By following these steps, organisations can not only comply with the NIS2 directive's duty of care, but also strengthen their overall digital resilience.

What are the consequences of not complying with duty of care?

Failure to comply with the duty of care of the NIS2 Directive can have significant consequences for organisations. Here are some key consequences:

  1. Fines and penalties: Organisations that fail to comply with the duty of care may face significant fines and other legal sanctions. These fines can vary depending on the severity of the breach and the impact on security.
  2. Increased risk of cyber attacks: Failure to implement adequate security measures increases the risk of successful cyber attacks. This can lead to data breaches, loss of confidential information and disruption of services.
  3. Damage to reputation: A security incident resulting from failure to comply with the duty of care can cause serious reputational damage. Clients and partners may lose trust in the organisation, leading to loss of business and revenue.
  4. Operational disruption: Cyber attacks and security incidents can lead to significant operational disruptions. This can result in downtime, loss of productivity and additional costs for recovery and mitigation.
  5. Accountability: Organisations may be required to account to regulators and other stakeholders for their failure to comply with the duty of care. This may lead to intensified monitoring and auditing.
  6. It is therefore crucial for organisations to take the duty of care seriously and implement proactive measures to secure their network and information systems.

Have questions or want to know more about specific aspects of the duty of care? Check out NIS2-registration | National Cyber Security Centre, let us know or read our live blog here.

If you missed our previous article, you can read it back here.

In our next article, we will zoom in on the notification requirement: Significant incidents that could disrupt services must be reported to the Computer Security Incident Response Team (CSIRT) and the regulator within 24 hours. This helps in responding to and mitigating the impact of incidents quickly. So keep an eye on our website in blog!

Need to get in touch about the NIS2?

Contact us using the form below.