NIS2: New European cybersecurity rules affect concrete and steel construction as well

The new European NIS2 cybersecurity directive will soon come into effect through the Dutch Cyber Security Act. Although organizations in the concrete and steel construction industry are not explicitly covered by this law, the impact on the sector is nevertheless significant. What exactly do these regulations mean and what consequences do they have for organizations in concrete and steel construction? At certification body DNV, they know.

The NIS2 Directive is the updated European legislation for network and information security. It replaces the original 2016 NIS directive. Its purpose: to strengthen the digital resilience of vital and important sectors. In the Netherlands, NIS2 will be translated into the Cyber Security Act, which is expected to take effect in the second half of 2025. The law includes a duty of care and a reporting obligation for organizations covered by the directive.

Duty of care and duty of notification

The duty of care means that organizations conduct an information security risk assessment, take appropriate measures and ensure continuity of their services. The duty to report means that incidents that (may) significantly disrupt the continuity of essential services must be reported to local authorities within 24 hours.

Board responsible

Another important change: boards of organizations are explicitly held responsible and accountable for their company's cybersecurity. Board members must also acquire demonstrable knowledge, for example through training. In addition, there will be an obligation to register with the National Cyber Security Center (NCSC) and monitoring compliance with the law.

Implications for our industry

Concrete and steel construction are not mentioned on the list of "essential" or "significant" entities to which the NIS2 Directive applies. Yet organizations in this sector may well be affected by the law. Rob Jansen, business leader for the ICT sector at DNV, explains: "The directive applies to organizations from 50 FTEs or more or with an annual turnover above €10 million. Even if you are not directly covered by the law, as a supplier you may still be required to comply with the requirements. Indeed, obligated entities must control information security and continuity throughout their supply chain." For organizations that want to know if they are covered by NIS2, Jansen recommends the self-assessment at www.regelhulpvoorbedrijven.nl: "It contains detailed questions about products, services and scope and provides quick insight into the applicability of the NIS2/Cybersecurity Act to your organization."

Preparation support

DNV supports organizations in preparing for the new legislation. "We offer a package of training and certifications," says Jansen. "Think of ISO/IEC 27001, ISO 22301 and the NIS2 Quality Mark. Those help make your efforts demonstrable to stakeholders." DNV also conducts GAP analyses to determine where an organization is now and what steps are still needed to bring information security and continuity to the desired level. Jansen's main advice is simple: "Don't wait, start. Ensure awareness and involvement of (top) management. Align cybersecurity with your business value. Not just for compliance, but especially to be more resistant to the increasing cyber threats. The urgency is greater than ever."