Difference and changes between NEN, NEN-EN, NPR and ISO standards clearly explained!

Standards ensure that a certain basic quality of a method or material is guaranteed. That is why organizations like to work according to a standard, because then they can be sure that they offer that quality. In the Netherlands, work is often done according to the NEN standard, but ISO is also a well-known name here.?NEN stands for Dutch Standard, EN for European Standard, ISO refers to the International Organization for Standardization.

NEN manages and publishes standards applicable to the Netherlands in a wide variety of areas. There are more than 1500 specifically Dutch standards and many more are valid in the Netherlands because, for example, they come from Europe (NEN-EN, Eurocodes) or are valid on a global scale (ISO).

On an international level, the organization collaborates a lot with the IEC; the International Electrotechnical Commission. In the Netherlands, the national body that manages the ISO standards applies in the form of NEN; the Netherlands Standardization Institute. ISO creates documents with required standards, specifications, guidelines, or characteristics. These can be used consistently by businesses and ensure that materials, products, processes, and services are fit for purpose. In addition, it ensures that these requirements are the same in all member countries, so that there is standardization.

With ISO certification, companies can demonstrate that their products, services or systems meet the agreed specifications. In addition, the ISO standards support innovation and promote global quality, safety and reliability.

There are standards available for many subjects. Examples are standards on utensils, on the protection of personal data, inspection methods, paper sizes, fire resistance of building materials and the numbering of weeks. Well-known standards are ISO 9000 (for quality systems) and NEN 1010 (safety regulations for low-voltage installations).

?

Working Conditions Act

The Working Conditions Act contains rules for employers and employees to promote the health and safety of both parties. The Working Conditions Act sets requirements for the design of an office and workplace that refer to NEN, NEN-EN or NPR standards. All these standards are guidelines; No laws.

What are NEN, NEN-EN and NPR standards?

The NEN, NEN-EN and NPR standards are summaries of agreements, specifications and criteria that a product or service must meet. The letters are always followed by a number referring to the relevant directive; No law. For example, the NPR 1813: guidelines for office furniture or the NEN 1824: Ergonomic requirements for the surface area of office workplaces.

NEN

The Netherlands Standardisation Institute (NEN) and the NEC Foundation are responsible for registering these standards. NEN is actually the abbreviation for the Dutch standardization of guidelines. This abbreviation is therefore country-specific and is written in the Netherlands as NEN followed by the code of the guideline (in numbers). For example, Belgian standards bear the abbreviation NBN (Standardisation Institute Belgium).

NEN-EN

European standards are drawn up by the European Standardisation Organisation and apply to the whole of Europe. These are published by the National Standardisation Institutes (NEN) on a country-by-country basis. For each country, the national abbreviation of standards is set for the EN standardization, resulting in the NEN-EN standard in the Netherlands and NBN-EN in Belgium. A NEN-EN standard simply means that this European directive is also adhered to in the Netherlands. You can therefore read it as a European standard that is used in the Netherlands.

NPR

The abbreviation NPR stands for Dutch Practice Guideline and is an addition to various standards. In this supplement, the practical elaboration of a standard is mentioned. This sounds more complicated than it is; a European standard for office chairs is suitable for the average European. A Dutch person is on average taller than the average European, so we have an addition to the EN standard; the NPR.

Other abbreviations and missing NEN, NEN-EN and NPR standards

If you search online, you will mainly find differences in the representation of the letters for the guideline number; e.g., EN or (N)EN. These are not official abbreviations but are often used as an abbreviated notation of the NEN or NEN-EN standard.

But what is the difference between a NEN standard and a NEN-EN standard?

A NEN standard is a Dutch standard, while a NEN-EN standard is a European harmonized standard.

There are inherently two differences in both standards. A NEN standard is first and foremost a Dutch, local, national standard. A NEN-EN standard, on the other hand, is a widely applicable European standard, which must therefore also be applied in the Netherlands. In line with this, if a standard only has the designation NEN (i.e., without EN), the standard in question is by definition non-harmonised. This means that a NEN standard does not have a "presumption of conformity" with the essential health and safety requirements of the Machinery Directive. Conversely, if a standard does have the designation NEN-EN (i.e., with EN), the standard in question is by definition harmonized within the European Union. This means that a NEN-EN standard does have the "presumption of conformity" with the essential health and safety requirements of the Machinery Directive.

As a nuance, it can be argued that a NEN standard is indeed an accepted standard within the Netherlands, and contains details about technical solutions with the aim of complying, for example, with the essential health and safety requirements of the Machinery Directive.

However, a NEN standard is and remains a non-harmonized standard, which means that the application of such standards provides a certain degree of "guidance on how to reduce certain hazards", partly because non-harmonized standards have no legal framework with regard to the Machinery Directive. Conversely, NEN-EN standards are approved, harmonized standards within the European Union with the "presumption of conformity" with the essential health and safety requirements of the Machinery Directive.

If a machine is fully built according to the specifications of the NEN-EN standards, there is a "presumption of conformity" that the machine meets the essential health and safety requirements of the Machinery Directive. In line with this, the manufacturer may then affix the CE marking to the machine. This means that NEN-EN standards can be regarded as solutions approved by the European Union and found to be sufficiently safe to reduce or eliminate the dangers of a machine.

ISO 27001:2013 vs NEN 7510

NEN 7510 requires 3 additional control measures compared to ISO 27001:2013

• ?14.1.1.1 Health information systems must uniquely identify healthcare recipients
• 14.1.2.1 Health information systems must enable validation of output data
• 4.1.3.1 publicly available health data must be archived and protected to prevent unauthorized changes

Source: Directive 2006/42/EC – Article 2 – Definitions // Directive 2006/42/EC – Article 7 – Presumption of conformity and harmonised standards // Directive 2006/42/EC – Annex I – Essential health and safety requirements relating to the design and construction of machinery Guide to the application of the Machinery Directive 2006/42/EC – 2nd edition – June 2010

What does the new version of ISO 27001 mean for NEN 7510?

NEN 7510 is: the standard for information security in healthcare. After its publication in 2004, there have been revisions in both 2011 and 2017. The 2017 version is currently being used. The NEN 7510 standard is based on three other standards for information security: ISO 27001, ISO 27002 and ISO 27799. Since new versions of ISO 27001 and ISO 27002 were published in 2022, the question automatically arises as to what this means for NEN 7510. ?In this article, we'll tell you all about it (as far as we know)!

NEN 7510

The original purpose of the NEN 7510 standard was:

• Creating trust between 'business partners'.
• Setting requirements for the organization, supported by technology.
• Demonstrate how carefully information is handled.

Many people often think that an information security standard, in this case NEN 7510, is completely focused on IT aspects. However, the opposite is true. Information security standards certainly contain (many) IT technical elements, but they are also mainly focused on risk management, policy, organization, personnel and physical aspects and technology. The reason for making a specific sector-specific 'translation' for the healthcare sector in the form of NEN 7510 is that the healthcare sector has to deal with special risks and medical information (special personal data according to the GDPR).

?

The NEN 7510 revision

Despite its direct relationship to ISO 27001/27002, the publication of the new 2022 version of these ISO standards does not mean that NEN 7510 will also change immediately. There are still steps in between. In the coming months, the NEN will work on the revision of the NEN 7510 standard. In addition to the aforementioned ISO standards, the Code of Conduct for Access Security for Digital Patient Records (NFU/NVZ) is also used for this. This is a mutual agreement that has been made between hospitals and is therefore also essential for the revision of NEN 7510. Finally, of course, input from stakeholders and lessons from practice will also be taken into account. Any interested party (e.g., healthcare institutions, ICT suppliers, health insurers or consultancy firms) may participate in the review process from the NEN.

National developments

In addition to the international revisions, there are national developments that affect the revision of NEN 7510:

• NEN 7512 and NEN 7513 are currently also being revised. In addition, extra attention is paid to consistency between these standards and NEN 7510.
• In September 2022, the 'Electronic Data Exchanges in Healthcare Act' (Wegiz) was unanimously adopted by the House of Representatives. NEN 7510 is a generic standard that serves as a precondition for information security for all standards aimed at specific data exchanges. The standards that are developed within EGIZ (Electronic Data Exchange in Healthcare) also refer to NEN 7510 for the requirements of information security.
• The Ministry of Health, Welfare and Sport (VWS) is constantly paying attention to the degree of implementation of the standard. Among other things, the results of the Health & Youth Care Inspectorate's supervision of information security in healthcare are examined. The Ministry of Health, Welfare and Sport also wants to look at the NEN 7510 standard in the light of the revised NIB (Network and Information Security).
• Special functional requirements are imposed on the provision of information and information security because the healthcare sector has to deal with special risks (in the worst case, there can be deaths).

In addition to the revision of the NEN 7510 standard, attention is also paid to the development of implementation pools to help healthcare providers.

?

Laws and regulations

Many ISO standards are 'voluntary' in nature and are not mandatory. However, there are a number of standards that are required by laws and regulations. For example, it is a legal requirement that low-voltage electrical installations comply with the completion inspection of NEN 1010. This also applies (partially) to the NEN 7510 standard:

• Regulation on the use of a citizen service number in healthcare: the data processing referred to in Articles 8 and 9 of the Act, in Article 9.1.1., fourth paragraph, of the Long-term Care Act, in Article 86, first, fourth and fifth paragraphs, of the Healthcare Insurance Act and in Articles 28, second paragraph, and 29 of the Decree on the Use of Citizen Service Numbers in Healthcare complies with NEN 7510.
• Electronic Data Exchange by Healthcare Providers Decree (Begz): In accordance with the provisions of NEN 7510 and NEN 7512, the person responsible for an electronic exchange system is responsible for the safe and careful use of that electronic exchange system. In accordance with the provisions of NEN 7510 and NEN 7512, a healthcare provider must ensure the safe and careful use of the escrow information system and the safe and careful use of the electronic exchange system to which it is affiliated.

In addition to the above specific laws, there are other (indirect) relationships between NEN 7510 and Dutch laws and regulations. Consider, for example, the obligation to comply with the AVG law (GDPR regulation) (safe handling of personal data). Since the NEN 7510 standard relates to the security of personal health data, you automatically end up with the GDPR. You can comply with this law by handling personal data in accordance with the NEN 7510 standard.

Appropriate cyber measures for more sectors

Improved security of network and information systems and an obligation to report serious cyber incidents should significantly increase digital security in the EU. This means that by 2024, the following players will have to take appropriate cyber measures:

• The main players in the food sector (industrial food production and distribution such as large supermarket chains)
• Parties in the chemical and manufacturing industry
• Waste processors
• Postal and courier services
• Data Centers

Under the current directive, providers of essential services such as banks and digital parties such as cloud services, etc., have been appointed by the central government to take measures in the context of improving digital security. In addition, they are already obliged to report serious cyber incidents. All of this is also monitored.

Essential & Important Providers

As mentioned above, the number of sectors covered by this will be significantly expanded by 2024. Organizations can then fall into two categories:

• Essential Providers
• Major Providers

In the case of essential providers, supervision will soon be proactive, and in the case of important providers, supervision will take place retrospectively if there are indications that an incident has occurred. The latter group consists mainly of medium-sized and large parties, where disruption will not have very serious social or economic consequences.

?'Information Security Act mandatory for hospitals from 2023'.

In addition to the duty to report, the duty of care also applies. This means that all parties are obliged to take safety measures. This is about increasing the security of the supply chain and putting the way cyber incidents are handled in order.

The impact of NIS2 on Dutch organisations

As mentioned above, the NIS2 Directive will enter into force on 16 January 2023. EU countries, including the Netherlands, will then have until 17 October 2024 to transpose NIS2, which is called NIB2 (Network and Information Security Directive) in the Netherlands, into legislation. The Dutch government has to make the transition from NIS2 to NIB2, but the starting point is that the core of the directive, which consists of the above-mentioned duty of care and duty of care, remains largely the same.

Despite the fact that it is not yet entirely clear what the NIB2 will look like, it is certain that it will have an impact on many organizations and that there is therefore work to be done. These organizations must take measures to bring information security maturity to a higher level. The exact amount is still to be determined by the Dutch government.

As mentioned in the previous paragraph, by 2024, the number of sectors that will have to take measures will be significantly expanded. This is expected to mean that about six thousand additional organisations in the Netherlands will have to comply with the new legislation.

?

What will change with the ISO 27001 update?

What changes will be made to ISO 27001??Some context. ISO 27001 is a standard for an information security management system.?This standard is issued by, in the Netherlands, the NEN. And it changes periodically.?So, we are now talking about a standard text that was updated in 2022.?This standard has been updated for both ISO 27001 (the management part of the standard) and ISO 27002. The document in which a number of best practices (i.e., good management measures) are updated both organizationally and technically, for example.?That text was changed in 2022. This means that organizations that have a working management system for information security have a new bar against which to measure that system.

This means that in the next three-year period, your management system will have to go into transition.?If you don't already have one, you can just start building an ISO 27001 management system as if you were starting at any time.?If you have to make a transition, it is good to know that management thinking is fundamentally not adapted.?If you are somewhat familiar with the ISO 27001 standard, I could show you the ISO 27001 changes in detail in half an hour, so to speak, with the biggest change perhaps being that you have to think a little more carefully about your income.

With regard to 27002, there are now 93 control measures, whereas there used to be 114.?Are they really new? No. There may be a few that you can say are new.?It is good to use a risk analysis to think about what exactly that means for you.?But in fact, perhaps the biggest impact is that you take a look at the extent to which your management system is really grafted onto 114 best practices (the old way of working of the standard).?Because then you probably have a hard link to the standard text, which after all has to expire because there is a new standard.?I can also tell you more about that, but it will take a little longer because there are more details attached to it.?We don't do that in this video. In any case, the transition is doable.?Especially for someone who is familiar with ISO thinking. I wish you the best of luck with that!

?