⚠️ The Dutch Cybersecurity Act (NIS2) is expected to come into force on 1 July 2026 — an implementation engagement takes an average of 4-6 months. Start now to be compliant in time.

NLEN
Home Knowledge Base ISO 27001 NIS2 DORA ISO 42001 ISO 27701 GDPR Web Pentest AI & LLM Security AI Governance GRC Platform About Careers Contact vCISO Netherlands DPO-as-a-service NIS2 Healthcare NEN 7510 Healthcare NIS2 Manufacturing NIS2 Accounting Case Studies ISO 27001 Pillar NIS2 Pillar DORA Pillar vs IRM360 vs Vanta vs Drata
Home NIS2 Compliance

NIS2 Compliance Consultant for SMEs

NIS2 status (April 2026): the directive has been in force since 17 October 2024. The Dutch transposition law — the Cyberbeveiligingswet — was adopted by the House of Representatives on 15 April 2026 and is now in the Senate phase. Supervisors have already started monitoring; director accountability is mandatory.

The Dutch Cybersecurity Act — the Dutch implementation of the European NIS2 directive — is expected to come into force in Q2 2026. Essential and important entities must then demonstrably comply with duty of care, notification obligation and supply chain security. In case of non-compliance, essential organisations risk fines of up to €10 million. We carry out the gap analysis and guide your organisation step by step towards full NIS2 compliance.

NIS2 compliance

Wat is NIS2?

NIS2 (Network and Information Systems Directive 2) is the successor to the original NIS directive and imposes mandatory cybersecurity requirements on a much broader group of organisations in Europe. The directive has been transposed into national legislation in the Netherlands via the Dutch Cybersecurity Act, expected in 2026.

NIS2 applies to organisations in 18 sectors, divided into essential entities (energy, transport, finance, healthcare) and important entities (post, waste management, digital infrastructure, manufacturing). Medium-sized and large organisations almost always fall under the directive.

Wat vereist NIS2?

NIS2 imposes four main obligations:

  • Risk management measures: Organisations must implement appropriate technical, operational and organisational security measures — including incident response, supply chain security, access control and encryption.
  • Notification obligation: Significant incidents must be reported within 24 hours to the competent authority (initial notification), followed by a comprehensive report within 72 hours.
  • Director liability: Executives are personally liable for NIS2 compliance. Fines can amount to €10 million or 2% of global annual turnover.
  • Supply chain security: Organisations must also manage the cybersecurity risks of their suppliers and service providers.

Overlap with ISO 27001

NIS2 and ISO 27001 have a large overlap: an ISMS that complies with ISO 27001:2022 covers a substantial part of the NIS2 requirements. We help you maximise the overlap so that with one engagement you achieve both certification and legal compliance.

Our NIS2 approach

  • Scope determination: Assessment of whether and how your organisation falls under NIS2
  • Gap analysis: Comparison of your current security with the NIS2 requirements
  • Implementation: Establish security measures, procedures and notification processes
  • Evidence & documentation: Demonstrable compliance via our GRC Platform

NIS2 Core Requirements

  • Risk management & measures
  • Incident notification (24h / 72h)
  • Director liability
  • Supply chain security
  • Access control & MFA
  • Encryption & backup policy
  • Business continuity planning

Related Services

Do you fall under NIS2?

We determine your NIS2 scope and conduct a gap analysis of your current security level.

Free Consultation

NIS2-compliant by 2026?

Schedule a no-obligation consultation. We analyse your NIS2 scope, conduct a gap analysis and guide you towards full compliance — including notification processes and director reporting.

Free Consultation

Who falls under NIS2?

The Dutch Cybersecurity Act (Dutch implementation of NIS2) applies to essential and important entities. Essential sectors include energy, transport, drinking water, banking, digital infrastructure and public administration. Important sectors include post, waste management, chemical industry, food production and digital service providers. Organisations with 50+ employees or €10+ million turnover fall within scope. The Netherlands expects approximately 8,000 organisations to fall directly under the law.

The 10 Basic Measures

NIS2 requires at least 10 controls: risk analysis and information security policy, incident handling, business continuity and crisis management, supply chain security, security of procurement/development, cybersecurity training, cryptography, personnel security and access control, multi-factor authentication and secure communication. These measures must be state-of-the-art and proportionate to the risk.

Differences from NIS1

Compared to NIS1, the scope is significantly broader (more sectors, more medium-sized companies), personal director liability has been introduced, and stricter notification deadlines apply: an initial notification must be made within 24 hours, followed by a comprehensive notification within 72 hours. Fines can amount to 10 million euros or 2% of global annual turnover for essential entities.

Frequently Asked Questions

When must I be NIS2-compliant?

The Dutch Cybersecurity Act comes into force in phases in 2026. Organisations would be wise to start with the gap analysis now and deliver an implementation roadmap, so that registration and audit readiness are arranged in time.

What are the fines under NIS2?

For essential entities, fines amount to 10 million euros or 2% of global annual turnover (whichever is higher). For important entities, 7 million euros or 1.4% applies. Executives can be held personally liable for negligence.

How do I know if my organisation falls under NIS2?

Through a scope determination we look at sector, number of employees, turnover and dependencies in your supply chain. In a session we determine whether you are essential, important or out-of-scope, and what obligations follow.

Knowledge Base: NIS2

NIS2 per sector

NIS2 for healthcare →NIS2 for accounting firms →NIS2 for financial sector →NIS2 for manufacturing →