NIS Directive plenty of issues still to clear up. Takeaways from the N-sight of 12/06/2018


The NIS Directive is currently being transposed into Belgian law. The directive provides legal measures to boost the overall level of cybersecurity in the EU. All sectors that are vital for our economy and that also rely heavily on ICT - such as energy, transport, water, banking and financial markets, healthcare and digital infrastructures - will need to take appropriate security measures. This will impact many of our members, who will need to comply with the new law.



The Belgian law is expected to be accepted in Parliament in the autumn of 2018. Beltug receives a lot of questions about the NIS, and will keep its members updated. As part of this, we held an N-sight on the topic on 12 June. First, we heard from the CCB (Centre for Cybersecurity Belgium – the national authority for the NIS directive) about the directive itself and how it helps prevent security incidents. Then we learned how UZ Leuven estimates the impact on an organisation that provides 'essential services'.



The presentations from the event are available, exclusively for Beltug members (after login). In addition, we have 2 reference documents for OESs from the European Commission to share.





Implementation of the 'NIS directive' in Belgium



Valéry Vander Geeten, Legal Officer and Project Manager for the NIS Directive implementation at the CCB, started his presentation with an overview of all the sectors impacted by the NIS - and there are many, both OESs, Operators of Essential Services, and DSPs, Digital Services Providers (see slide 2 for an overview). But the directive doesn't provide a list of operators, only sectors and types of organisations/services.  So it is up to each sectoral authority to decide if an organisation can be identified as an impacted OES; this sectoral authority compiles its list, together with the Crisis Centre and the CCB.



The main criteria to decide if a company indeed provides essential services include:

  • does the entity provide a service that is essential for the maintenance of critical societal and/or economic activities?
  • does the provision of that service depend on network and information systems?
  • would an incident have significant disruptive effects on the provision of that service?

(See slide 10 for some examples)



For DSPs in Belgium that are impacted, we can distinguish three types of companies:


  • online (public) marketplaces (e.g. Ebay; companies’ e-shops are not impacted)
  • online search engines
  • cloud computing services



Should a provider of essential services suffer an incident, the notification process must be followed (slide 23 for OESs and slide 27 for DSPs). But the company can’t look at this process simply from a legal standpoint or as a way to avoid fines; it is also important to enable the sectoral and national authorities to help and provide support.



After this general overview, Valéry went through the next steps in Belgium (see slide 32). The Belgian law is expected to be accepted in parliament in the fall of 2018.



Don't let the timing stress you, though, Valéry reassured.  The implementation of this law will be handled in stages: after the identification phase, the impacted operators will have one year to set up their security policies, and then another year to implement their security measures.



Your first contact for questions is always your sectoral authority, he concluded.



Does more regulation lead to better and safer patient care? Impact of the NIS on UZ Leuven



After numerous questions for Valéry and the sharing of many concerns, Reinoud Reynders, IT Director Infrastructure & Operations at UZ Leuven, took the floor and shed his light on the impact of NIS on the hospital. Reinoud started with an overview of the infrastructure and paperless patient flow at UZ Leuven.  He also explained nexuzhealth, the hospital's software system that is offered in an ‘as-a-service’ way to 29 other hospitals in Flanders.



Availability is key in this system and in any hospital; other pillars include data quality, flexibility, security and privacy, and budget.



When it comes to NIS, awareness today is a major concern (see slide 9 for Reinoud's observations). 



Regarding certification, Reinoud feels there is too much focus on this aspect in the NIS.  Not complying with ISO 27001 doesn’t automatically mean you are working in a non-secure way (see slide 13 for Reinouds main concerns).



To conclude and to demonstrate that UZ Leuven already does a pretty good job on security, Reinoud provided an overview of the measures and policies currently in place at the hospital itself, and all the hospitals using the nexuzhealth services (see slides 16-17).



On the audit side (ISAE3402), Reinoud wondered how smaller (independent) hospitals can cope.



After an overview of the next steps, he concluded with a few takeaways:

  • A big hospital is a critical infrastructure
  • He has no problem with the principals of the NIS directive
  • The NIS directive is much more than certification
  • Organisations must focus on what makes a real difference: choose well how to invest.
  • Is ISAE3000 an option?
  • There are many more questions than answers.













Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview