NIS2

Expert

Making Technical Standards Understandable and Applicable for Business Owners

Kristel Houtappels, Communication Specialist & Cybersecurity Standard Expert

Kristel Houtappels

Kristel is a communication specialist and cybersecurity standard expert. For the NIS2 Quality Mark – consisting of three levels, namely NIS2-QM10, NIS2-QM20 and NIS2-QM30 – she rewrote technical and legal requirements associated with a cybersecurity certification into comprehensible language.

You have transformed the formal European directive texts of NIS2 into understandable measures, checklists and example documents. What was the biggest challenge for you in this process?

Kristel: ‘The biggest challenge lies in the combination of legal and technical jargon. Lawyers write in terms that are often complex from a legal context, and cybersecurity experts use technical language that isn’t readily accessible to a non-IT professional. My task is to translate these two worlds into something that business owners with little to no technical background can immediately work with. In doing so, I need to ensure that none of the legal or technical precision is lost, whilst writing it in such a way that business owners understand what they need to do without feeling overwhelmed.’

Many SME owners have outsourced their IT operations and may find it challenging to interpret these cybersecurity standards. How do you simplify the language without losing the essential legal and technical details needed for compliance?

Kristel: ‘The key is to convert technical details into specific, practical steps. Instead of saying that you “must implement vulnerability scanners”, I explain that you “need to ensure your systems are regularly checked for security risks, rather like checking your home alarm system”. I use everyday comparisons as much as possible and avoid technical language. It needs to be immediately clear to SMEs what they need to do, without getting lost in technical or legal terminology.’

You have worked with a team, including experts such as Cees van der Wens, the author of the well-known ISO 27001 handbook. How has this collaboration helped?

Kristel: ‘Working with experts like Cees has been invaluable because, from his experience, he can immediately identify what crucial elements are in a cybersecurity context. He knows precisely which technical measures are important, and that makes it easier for me to determine what absolutely must be included in the text and what we can describe in a more accessible way.’

Explanatory documents accompanying the measures help make abstract technical standards more comprehensible. Could you illustrate this by showing how a practical example might help a business owner?

Kristel: ‘Indeed, explanatory documents are incredibly valuable in making technical standards comprehensible and applicable for business owners. They translate abstract guidelines into clear, actionable steps. Consider, for instance, supply chain security. Many business owners recognise its importance, but how does one approach it in practice? In the explanatory documents, you’ll find a complete step-by-step guide on how to assess your suppliers’ security, which agreements you need to document, and how to continuously monitor the chain. There are also ready-to-use checklists with which you can promptly verify whether you have set everything up correctly.

Another example is an ICT continuity plan. Rather than having to devise everything yourself, you receive a detailed example plan in the document that you can adopt and adapt to your own business circumstances. These sorts of practical examples and readily usable tools help business owners to swiftly take the appropriate steps to secure their organisation without requiring complex technical knowledge.’

Once the texts were drafted in Dutch, they had to be translated into English. How does this bring new challenges, and how do you ensure that the nuances are preserved in both languages?

Kristel: ‘When translating to English, one must be particularly careful that the legal and technical details remain correct, whilst ensuring the language remains comprehensible. English, for instance, has more scope for technical terms that are understandable to a wider audience, but we want to ensure that the accessibility we’ve achieved in Dutch is maintained. It’s a matter of thorough proofreading and liaising with native speakers to ensure it’s correct in both languages.’

Now that the NIS2 standards are being implemented, how do you see these translations as written in NIS2-QM10, NIS2-QM20 and NIS2-QM30 helping SME companies in their cybersecurity efforts?

Kristel: ‘I believe that SMEs, precisely because of these comprehensible translations, will be far less hesitant to approach cybersecurity. Where it was previously often perceived as something rather distant and complex, they now see that it involves practical, achievable measures that can genuinely help them operate more securely. This gives them the confidence that they can comply with legal requirements even without in-depth IT knowledge.’

 

Scroll to Top
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.