NIS2

Expert

Your chain, your responsibility: Safety doesn't stop at your own organisation

Nathalie Verkade,
Compliance Officer TechOne

Nathalie Verkade is the Compliance Officer at TechOne, a company within a group of 30 IT companies focused on IT and cyber security services. TechOne helps communications, managed IT and security companies realise their potential. Nathalie’s role is to ensure that the companies’ practices comply with relevant laws and regulations, with a particular focus on cybersecurity and data protection standards such as NIS2. In the following interview, Cybersecurity Editor Jan Meijroos talks to her about the importance of certifications for different industries.

You are a compliance officer, primarily focused on laws and regulations within the organisation. Can you transfer this experience and knowledge to your clients?

Nathalie: ‘Initially, my focus was mainly internal, which makes sense given my role. But I quickly realised that the issues within our companies often stem from what is happening with their customers. When you discuss certain issues internally, ideas come quickly. It adds a lot of value to your customers if you can provide additional expertise. So why keep that knowledge to yourself? The companies and people we work with also want to help and ask for tips. Of course, they come to me because they don’t read all the legal texts themselves.’

Have you already looked into the recently launched NIS2 consultation? If so, what are your first impressions?

Nathalie: ‘It’s in line with the original NIS2 as written in English. It’s a maximum harmonisation law, which means that member states can have stricter requirements in their national legislation, but in practice they’re unlikely to deviate much. The measures in Article 21 of NIS2 are not so different. I think the Netherlands has looked closely at how other countries like Germany and Belgium have implemented it.’

From your experience as a compliance officer, what is your view of the NIS2 quality mark?

Nathalie: ‘Not every company is directly subject to NIS2; there are two categories: companies that are directly subject to NIS2 and companies that have to comply through the supply chain. People often forget that they still have to comply indirectly through due diligence and supply chain responsibility. The NIS2 Quality Mark focuses on this, especially for SMEs, and can help many companies.

NIS2 is European legislation that must be implemented in the Netherlands. The NIS2 Quality Mark makes this legislation manageable. After an audit by a certified audit firm, you have proof that you have taken a significant number of cybersecurity measures. In the eyes of your major customers, it shows that you are serious about cybersecurity. This accessible, manageable nature is a godsend for SMEs.’

NIS2 includes new aspects not typically covered by ISO 27000, such as due diligence in the supply chain. Does this make a difference?

Nathalie: ‘Absolutely. NIS2 is a bit stricter. In ISO, you have supplier assessments, but NIS2 also requires your suppliers to take real action in case of risk. You are responsible for the information security of your supply chain, not just your own. Companies often think they’re done with ISO, but they’re not. And SMEs who think they have to comply with the heavy-handed ISO requirements are often misinformed. ISO is a good standard, but it’s too comprehensive and complex for many SMEs. The NIS2 Quality Mark addresses this.’

It also puts the spotlight on the supply chain, which includes many of your customers. I understand that thousands of customers are eligible for the NIS2 Quality Mark?

Nathalie: ‘Yes, we have fifteen locations in the Netherlands and about thirty companies. If you add up the clients of all these companies, you quickly reach a large number. Samen Digitaal Veilig (Together Digital Safe) ensures that SMEs are well prepared for the law, even if these companies are not fully subject to NIS2. We are a good partner to pass on this knowledge to our clients.’

What is it like working with Samen Digitaal Veilig?

Nathalie: ‘SDV provides a lot of support and information. They have a department for questions that are more specific than our knowledge. So we can pass on customer enquiries. We also organise meetings, webinars and more together.’

What are your expectations for the implementation of the law, in terms of timing?

Nathalie: ‘The Netherlands is a bit behind. Other European countries will meet the deadline. Dutch delays cannot be used as an excuse. Companies from other European countries will definitely be concerned.’

Why are standards important, especially for smaller companies that often feel resistant to new regulations?

Nathalie: ‘I understand the frustration. In the past, these rules were mainly for large companies, but increasingly they are also for SMEs. My advice is to start small with one standard, start with the basics. You’ll quickly see the benefits across all your processes. For your large customers, it’s important to show that you’re working on cybersecurity. At TechOne, we look at how we can make this accessible to our customers. We don’t just provide basic IT services, we provide partnerships. And that’s good for your relationship with your customers.’

Interviews

Dr. Michel A. Dutrée >>

Remco van der Linde >>

Rick van der Gaag >>

Nathalie Verkade>>

Jan Meijroos >>

Scroll to Top