The fun of testing NIS2 through policy prototyping
When we want to test a product, we may use a product or process prototype. And just the same way, when we want to test the comprehensibility, usability, and feasibility of policy proposals, we can use a policy prototype. And that is exactly what we are doing, with the NIS2! Do you want to take part?
10 / 08 / 23
After successfully obtaining a research grant, researchers from the KU Leuven Centre for IT & IP Law (CiTiP) are bringing together the Centre for Cybersecurity Belgium (CCB), Agoria and Beltug. Our goal is to use the CCB’s CyberFundamentals Framework (CyFun) as a prototype for the transposition of the NIS2 directive into Belgian law.
Beltug members that participate in the project will get training on the CyberFundamentals, free guidance on the NIS2 implementation, and full anonymity.
If you are interested, send us an email. Beltug members will be seated at the first row of the prototyping show!
How will we use CyFun?
The NIS2 directive specifies the categories of security measures that organisations will have to implement. But it doesn’t set forward a framework or specific controls (apart from a few things like MFA). In order to guide organisations, the CCB developed CyFun, which borrows from the NIST framework. It also cross-references to ISO 27001 and other commonly used frameworks. Beltug has already received positive comments on the framework, so why not take a look? To evaluate the effectiveness of CyFun, we will begin by using it (more specifically, its Basic level)* as a policy prototype in relation to the NIS2 implementation in Belgium.
*(Disclaimer: this may be subject to change, including due to changes in the information available to us on the process of the NIS2 implementation in Belgium).
What are we researching?
The cost issue of improving an organisation’s security posture is crucial. These costs can run into the millions, as organisations connect more databases, devices, OT and IT systems in order to optimise the opportunities of the digital transformation and AI. In the research, we aim to answer whether the Basic CyFun level is:
- Clear
- Effective
- Cost efficient
Beltug members at the forefront?
Beltug, CiTiP, Agoria and CCB form the coordinating team. Beltug members, Agoria members, external experts and CCB staff will form a sounding board group. Beltug members can participate as experts in the sounding board, and as participants in the project. We would very much like to see a large number of Beltug members participate! After all, the conclusions are meant to shed light on the feasibility (including financial) of implementing the new security measures, so this is your chance to influence how the Belgian law will be implemented.
What do you have to do?
We are currently elaborating the project within the coordinating team. Next, the sounding board group will be set up, composed of expert Beltug members as well as external experts. Early in 2024, the participating Beltug members and others will receive training from the CCB on the CyFun and information on the NIS2.
- You will first fill in a questionnaire on your understanding and perception of CyFun, its effectiveness and its costs.
- Over several weeks, you will be asked to use the Basic CyFun level and analyse its implementation.
- During an intermediate session, you will have the possibility to get in touch with the experts in the project.
- At the end you will fill in the same questionnaire, enabling the clarity, the effectiveness and the costs of CyFun (and thus of the implementation of NIS2) to be analysed.
How can you take part?
This research project can give you the opportunity to help ensure that the legislation suggested actually works for your organisation. Interested in participating? Let us know!