What is NIS2 and why is it relevant now?
The Network and Information Security Directive 2 (NIS2) is a European directive that significantly strengthens cybersecurity requirements — organizations are required to be compliant for organizations in critical sectors compared to the original NIS Directive from 2016. NIS2 came into force in October 2024. The Dutch implementation law—the Cybersecurity Act (Cbw)—is currently being prepared and is expected to come into force in 2025–2026.
The goal of NIS2 is to increase the overall cybersecurity level in the EU. The directive does this by imposing a harmonized set of security measures and reporting obligations on a much larger group of organizations than before. Estimates suggest more than 160,000 organizations in the EU fall under NIS2, with a significant portion in the Netherlands.
Does your organization fall under NIS2?
NIS2 distinguishes between essential entities and important entities. The thresholds are: more than 50 employees or annual turnover exceeding €10 million and active in one of the designated sectors. Large organizations (>250 employees or >€50m turnover) in Annex I sectors are automatically classified as essential.
Annex I — Essentiële sectoren: energie (elektriciteit, gas, olie, warmte, waterstof), transport (lucht, rail, water, wegvervoer), bankwezen, financiële marktinfrastructuur, gezondheidszorg, drinkwater, afvalwater, digitale infrastructuur (internetaccess, DNS, TLD, cloud, datacenters, CDN, vertrouwensdiensten, elektronische communicatie), beheer van ICT-diensten (MSP/MSSP), overheid, ruimtevaart.
Annex II — Important sectors: postal and courier services, waste management, chemical industry, food, manufacturing (medical devices, electronics, machinery, motor vehicles and trailers), digital service providers (marketplaces, search engines, social networks), research institutions.
Unsure if your organization falls under NIS2? The National Cyber Security Centre (NCSC) and the Dutch Digital Infrastructure Inspectorate (RDI) publish further guidance. A quick scan by a NIS2 expert provides quick clarity.
The ten core requirements of NIS2
NIS2 prescribes measures in ten areas. Article 21 of the directive is leading here:
- 1. Policy for risk analysis and information security: A formal, documented policy based on a risk-based approach. This aligns closely with ISO 27001.
- 2. Incident handling: Procedures for detection, response and recovery from incidents. Significant incidents must be reported to the supervisor within 24 hours (initial notification), followed by a detailed notification within 72 hours and a final report within one month.
- 3. Business continuity and crisis management: Backup management, disaster recovery plans and a crisis management plan including communication procedures during an incident.
- 4. Supply chain security: Assessment of the cybersecurity practices of direct suppliers and service providers. This is one of the most challenging requirements for organizations with complex supplier networks.
- 5. Security in network and information system development and maintenance: Security by design and by default, vulnerability management and patch policy.
- 6. Assessment of the effectiveness of security measures: Periodic testing and audits to verify that measures actually work. For essential entities, this may include penetration testing.
- 7. Cyber hygiene and awareness training: Periodic training for employees and executives. NIS2 makes executives explicitly responsible for approving and overseeing security measures.
- 8. Use of cryptography and encryption: Policy for the use of cryptographic measures in the storage and transmission of sensitive information.
- 9. Personnel security and access management: Background checks, need-to-know principle and management of access rights.
- 10. Multi-factor authentication and secure communications: MFA for all internet-accessible systems and for administrative access to critical systems.
Personal liability of board members
One of the most significant aspects of NIS2 is the personal accountability of executives. Article 20 requires the governing bodies of essential and important entities to approve the measures, oversee their implementation and be liable for any breaches. Executives can be temporarily excluded from exercising management functions in case of serious negligence. This makes NIS2 not just an IT matter but a boardroom priority.
Oversight and sanctions
In the Netherlands, multiple authorities will be responsible for NIS2 enforcement, depending on the sector. The Dutch Digital Infrastructure Inspectorate (RDI) will be the central authority for many sectors. Authorities have broad powers: inspections, audits, access to documents and systems.
Sanctions are substantial:
- Essential entities: Maximum EUR10 million or 2% of global annual turnover (whichever is higher)
- Important entities: Maximum EUR7 million or 1.4% of global annual turnover
In addition to financial penalties, authorities can also impose temporary measures such as suspending certain activities or publishing findings of non-compliance.
NIS2 Compliance Guide: versus ISO 27001: what's the difference?
ISO 27001 is an international standard for information security that organizations can voluntarily implement and for which they can be certified. NIS2 is a legal obligation imposed externally on designated organizations. However, the two complement each other excellently: an ISO 27001-certified organization has a solid foundation for NIS2 compliance, but must pay additional attention to NIS2's specific reporting procedures, supply chain requirements, and formal governance obligations.
Practical roadmap for NIS2 compliance
A structured approach prevents you from becoming overwhelmed by the scope of NIS2. Start with an NIS2 quickscan to determine whether your organisation falls under the directive and in which category (essential or important). Then conduct a gap analysis: which of the ten requirements are already largely met and which need attention? Next, develop an implementation plan with concrete milestones, responsibilities and a realistic timeline. Also ensure board involvement: NIS2 requires executives to actively oversee cybersecurity — this requires investments in boardroom awareness.