Port of Rotterdam says new EU cyber security regs will impact port and other stakeholders

New European Union regulations will expand the mandate for European companies to establish cyber security plans and will impose penalties in case of non-compliance, according to Marijn van Schoote, Manager, IT Service Management, Operations & Cyber Security, Port of Rotterdam.

In an interview with AJOT at the Port of Rotterdam offices on June 19th, van Schoote explained that under current European Union regulations “essential service providers and digital service providers are required to report significant cyber incidents to the national authorities … NIS1 (Network and Information Security Directive I) applies to essential service providers and digital service providers.”

Under the new regulations that will be implemented in 2024 known as NIS2, the new regulations “expand the scope to a broader range of organizations, including important providers of online platforms and suppliers of core infrastructure services.”

Van Schoote said the new regulations will impact companies with “more than 250 employees, or revenues of over 50 million (Euros) per year.”

Impact On Port Stakeholders

The NIS2 regulation will impact many port stakeholders including terminal operators and “… if you look at the Port (of Rotterdam), then it (impacts) production, distribution of … chemicals, transportation, … energy storage …”

Under the original NIS1 regulation, a few port stakeholders had to comply with cyber security plans. Under the new NIS2 regulation, many more will need to comply: “if you look at the ports nowadays, so I think one or two, maybe five companies have to comply with NIS1. If you look at NIS2, more than a hundred companies who are the big terminals, but also the smaller terminals also will have to comply.”

Company Executives And Board Members Will Be Liable For Non-Compliance

Van Schoote said that company Board members and CEOs will be more accountable under the new rules: “So it will change … the responsibility of the Board of Directors … a Board of Director … in the company or another company is personally responsible for taking cybersecurity measures … Now, you have to be aware. And if you are not aware, then you can get a penalty ... On a corporate note, you can get a fine of 2% of your total revenue per year …the government can (also) say: ‘well, you're not a good CEO, so we can (take) you off the job.’”

Higher Operating Costs But Possibly Lower Borrowing Costs

The effect of NIS2 will be higher costs for hiring consultants, new software, and other defensive measures but the investment should also result in benefits to complying companies although this is not yet proven:

“So, there's also research being performed by Moody’s the credit rate agency, and they said, well, if … these rules and regulations are being implemented in the European Union, yes then it'll have a positive impact on, for example, the interest rates that companies have to pay for … attracting money … because the companies are more resilient against cyber (attacks). So, we expect that the cost … of getting money on the financial market will be lower compared to other companies outside Europe.”

Van Schoote said the new regulation will “ensure their resilience against cyber threats, promote a high level of network and information security, and foster cooperation among relevant stakeholders.”

The European Union said it decided to implement new tougher NIS2 requirements because the original mandate was not tough enough:

• Insufficient level of cyber resilience of businesses operating in the EU
• Inconsistent resilience across Member States and sectors
• Insufficient common understanding of the main threats and challenges among Member States
• Lack of joint crisis response.

Van Schoote said that under the new guidelines that will take effect in 2024, “NIS2 introduces a broader reporting obligation for a larger number of organizations, including online platforms and core infrastructure services:

• Security measures. Both existing and new frameworks require organizations to implement appropriate technical and organizational measures to ensure the security of networks and information systems.
• NIS2 expands the requirements and emphasizes the importance of risk management, cybersecurity measures, and the implementation of suitable incident response plans.
• Collaboration and information sharing. NIS1 promotes collaboration and information sharing between member states in the field of network and information security.
• NIS2 places greater emphasis on establishing a common framework for cooperation and facilitating cross-border collaboration and incident response.
• Sanctions. Both frameworks provide for sanctions in case of non-compliance. However, NIS2 proposes stricter sanctions, including higher fines, to encourage organizations to comply with the security requirements.

Protecting The Supply Chain

A European Union briefing paper also noted the need to strengthen protections of the supply chain: “NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships. At (the) European level, the Directive strengthens supply chain cybersecurity for key information and communication technologies. Member States … may carry out (European) Union level coordinated security risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.”