Security & Monitoring

The NIS2 directive is no longer a new topic. Yet many organisations still haven't made it concrete. They know something is coming, but what exactly, for whom and when remains vague. This article makes it concrete: what is NIS2, who falls under it, and what do you actually need to arrange as an organisation?

What is NIS2?

NIS2 stands for Network and Information Systems Directive 2 – the successor to the original NIS directive from 2016. The European Union has tightened the directive because cyber threats have structurally increased in recent years. Attacks on critical infrastructure, supply chain attacks and ransomware at government institutions have shown that the old directive was insufficient.

The core of NIS2 is simple: organisations in critical sectors must demonstrably work on cybersecurity. Not on paper, but in practice. And when things go wrong, you must report it quickly.

In the Netherlands, NIS2 is being transposed into the Cybersecurity Act (Cyberbeveiligingswet). Expected implementation is the third quarter of 2025, though exact dates depend on parliamentary proceedings. Organisations waiting for the final law are running behind.

Who falls under it?

This is where it gets surprising for many companies. NIS2 is considerably broader than the previous directive. An estimated 10,000 Dutch organisations fall directly under the law. Additionally, approximately 50,000 companies that supply to this group will indirectly face NIS2 requirements through supply chain obligations.

The directive distinguishes between two categories:

Essential entities – organisations in sectors considered critical to society: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater and digital infrastructure. Large providers of digital services (cloud providers, datacenters, DNS providers) also fall into this category.

Important entities – a broader group of sectors: postal and courier services, waste management, chemical industry, food industry, manufacturing and processing industry, and digital providers like marketplaces and search engines.

Whether your organisation falls under it depends not just on the sector. Size also counts. As a rule of thumb: medium-sized organisations (50-249 employees, turnover or balance sheet total above 10 million euros) and large organisations are obligated. Smaller companies are largely exempt, unless they operate in critical subsectors.

The four pillars of NIS2

What do you concretely need to arrange? NIS2 structures the obligations around four themes.

1. Duty of care

You are obliged to take appropriate technical and organisational measures to manage the risks to your network and information systems. What "appropriate" means depends on your sector, size and the severity of possible disruptions. The directive provides a minimum list of measures:

• Risk analysis and information security policy
• Incident handling (detection, response, recovery)
• Business continuity (backups, disaster recovery, crisis management)
• Supply chain security
• Procurement, development and management of network and information systems
• Policy for assessing security measures (including penetration tests)
• Use of cryptography and encryption
• Personnel security and access management
• Multi-factor authentication and secure communication

2. Reporting obligation

When an incident occurs that has significant impact, you must report it. The deadlines are tight:

Within 24 hours an initial notification to the supervisor (in the Netherlands the NCSC or a sectoral authority). Within 72 hours a complete notification. Within one month a final report with cause, impact and measures taken.

What "significant impact" means is defined: disruption of services, financial damage, reputational damage or damage to third parties above certain thresholds. In doubtful cases: report it. The supervisor will help determine whether it was reportable.

3. Registration obligation

Organisations falling under NIS2 must register with the competent authority. In the Netherlands this is coordinated through the NCSC and sectoral supervisors. Registration is done per sector. Energy companies report to ACM, healthcare providers to IGJ, and so on.

4. Supervision and sanctions

NIS2 introduces stricter supervision and higher fines. For essential entities: fines up to 10 million euros or 2% of worldwide annual turnover (whichever is higher). For important entities: up to 7 million euros or 1.4% of worldwide turnover.

But there's more. Board members can be held personally liable if the organisation demonstrably falls short. In serious cases, a court can decide that board members are temporarily barred from management positions. That's a new element compared to the previous directive.

What supply chain has to do with it

One of the most underestimated obligations is supply chain security. NIS2 requires that you not only secure your own systems, but also map and manage the risks from your suppliers and service providers.

In practice this means: you must be able to demonstrate that your IT suppliers, managed service providers and software vendors meet minimum security requirements. You can do this through contractual agreements, audits, certifications (ISO 27001, SOC 2) or by requiring that suppliers themselves are NIS2-compliant.

For many organisations this is the hardest part. Your supply chain is complex, suppliers don't always want to cooperate with audits, and responsibility never really ends at a single link.

How to get started

Most organisations start with the same question: do we actually fall under it? The NCSC offers a self-assessment tool to check whether your organisation is designated as essential or important. That's step one.

Step two is a gap analysis. Where do you stand now on NIS2 obligations, and what's missing? This doesn't have to be an expensive consultancy project. An internal team with information security knowledge can map this out in a day or two, if there's already a basic level of documentation.

Step three is prioritising. Not everything has to happen at once. Focus first on the measures with the highest risk reduction: multi-factor authentication, incident response plan, backup and recovery policy, and access management. These are the basic building blocks that supervisors look at first.

Step four is the supply chain. Create an overview of your IT suppliers, set security requirements and formalise them contractually. For larger suppliers, ask for ISO 27001 certification or recent audit reports.

What NIS2 is not

NIS2 is not a destination. It's a minimum requirement. Organisations that only do what the law asks are not necessarily secure. They are compliant. That's not the same thing.

The directive raises the bar higher than before, but the threat continues to evolve. Ransomware, supply chain attacks and state-sponsored cyber espionage don't follow legislative cycles. NIS2 gives you a framework. What you do with it next determines how secure you actually are.

It's also not an IT topic. NIS2 explicitly places responsibility with the board. The director or management is responsible for approving the cybersecurity policy, supervising its implementation and compliance with reporting obligations. If you delegate that without staying involved, you're personally at risk.

Conclusion

NIS2 is broad, the deadlines are tight and the sanctions are substantial. But the obligations are concrete and achievable. The organisations that start now with a gap analysis, supply chain inventory and incident response plan will be well positioned. The organisations waiting until the Cybersecurity Act has definitively come into force have a problem.

The bottom line: map out whether you fall under it, do a gap analysis, prioritise the basic measures and make sure your board is actively involved. The rest follows.

Need help with NIS2 compliance? See our compliance approach.

See also: GDPR-compliant hosting: what to look for