1. What exactly is NIS2?
The NIS2 Directive is the updated European legislation on cybersecurity. Its goal is simple: to ensure that organizations are better equipped to withstand cyberattacks, that incidents are reported more quickly, and that digital resilience across Europe is improved. The directive builds on the previous NIS legislation, but takes a broader and more stringent approach.
Many entrepreneurs are therefore looking for clear explanations of NIS2: what is NIS2, why is this legislation being introduced, what exactly does NIS2 stand for, and when will NIS2 come into effect?
The directive has been incorporated into the new Cybersecurity Act in the Netherlands. That act was delayed, postponing its entry into force until Q2 2026. So the obligations will not apply tomorrow, but the status is clear: NIS2 is coming, and organizations will soon have to demonstrate that they take cybersecurity seriously.
2. When does your SME fall under NIS2?
Many SMEs are wondering: when will NIS2 become mandatory for me? The answer starts with the sectors. The directive distinguishes between two groups: essential sectors and important sectors. These include healthcare, energy, ICT service providers, transport companies, water management, cloud providers, and digital infrastructure.
In addition, NIS2 considers size:
- more than 50 employees, or
- more than 10 million euros in revenue.
In that case, you are in principle subject to the legislation, unless you are in a non-relevant sector. But for SMEs, one category in particular is crucial: suppliers in the chain.
Are you, for example, a hardware supplier of network components to a hospital? Then you may still fall under the NIS2 legislation, because your services have a direct impact on the continuity of others. This will be the largest group within the SME sector.
3. How do you know who NIS2 applies to?
There is no magic checklist. But you can ask yourself three honest questions:
- Do we provide products or services that others depend on for their continuity? Think of applications, cloud environments, security services, infrastructure, hosting, or connections.
- Are you part of a chain that includes companies that are subject to NIS2? Large organizations will impose requirements on their suppliers. Even if you are not officially subject to the law yourself, you may still be required to implement NIS2-like measures.
- Are you yourself a major or social risk if your organization goes down? For example , due to critical functions, large customer volumes, or strong dependence on your services.
If you answer "yes" to any of these questions, there is a good chance that you will be affected by the NIS2 Directive (either directly or due to chain responsibility).
4. What should you do if you fall under NIS2?
The question "how do I comply with NIS2?" often gets a long answer, but if we want to keep it concise, it boils down to five components. You must register your organization as an NIS2 entity, provided that you are one (registration requirement).
1. Risk analysis and policy
Understanding threats, vulnerabilities, and measures. NIS2 expects organizations to assess risks structurally and draw up policies. Read here how to perform a risk analysis.
2. Technical security
From patch management and monitoring to access management, encryption, and detection. The directive is strict when it comes to basic security. Much of this can be addressed with an ISO 27001 implementation—you can read more about this in our white paper.
3. Obligation to report incidents
Serious incidents must be reported to the National Cyber Security Center (or the relevant supervisory authority) within 24 hours.
4. Training and awareness
Employees pose a significant risk, so it is a mandatory part of the law to focus on awareness, for example through Guardey.
5. Supplier management and chain responsibility
You must demonstrate that suppliers do not weaken your cybersecurity level. This affects virtually every SME.
ISO 27001 is a logical extension of this. It provides structure, demonstrability, and a solid basis for compliance.
5. What does NIS2 mean for you as an SME?
Even if your company is not formally subject to NIS2 legislation, you will still have to deal with it. Large organizations pass on the requirements to suppliers. Cyber insurers are becoming more critical. Quotations and tenders increasingly require proof of cybersecurity measures.
In short: NIS2 will affect SMEs in any case, either as an obligation or as a market development.
6. How to get started with NIS2?
Start small, start smart. A free gap analysis is a logical first step. It gives you immediate insight into where you stand and what measures are needed. Then comes implementation: documentation, processes, technology, training, supplier management—everything you need to comply with the NIS2 directive.
For demonstrable compliance, you could opt for ISO 27001 as a framework for information security, which allows you to apply NIS2 (read about the differences and similarities with NIS2 here ) or the NIS2 Quality Mark. This ensures transparency towards customers and prepares you for the future.
NIS2 for SMEs
NIS2 sounds big and complicated, but for most SMEs it boils down to three things:
- Getting your safety in order.
- Establish clear processes and responsibilities.
- Demonstrate that you take cybersecurity seriously.
Whether or not you are formally covered by the law, now is the time to make your organization more resilient and prepare it for the future.
Want to know exactly where your organization stands? Schedule a no-obligation consultation below. Together, we will identify the risks, determine the necessary steps, and guide you in implementing them in a smart and practical way.
Would you prefer to read more yourself? Our news & insights page is full of useful explanations, downloads, and practical examples.
After this scan, you'll know exactly what you still need to do to be NIS2 compliant! ✅
