Stronger digital resilience
The first NIS directive laid the foundation for European cooperation in cybersecurity. Yet that approach proved too limited. Only vital sectors were covered by the legislation, while other organizations also became victims of cyber attacks.
With NIS2, that will change. It greatly expands the obligations and ensures that many more organizations must actively demonstrate that they have their information security in order. The goal is clear: to strengthen the digital resilience of the Netherlands. Not only at large institutions, but throughout the chain - from suppliers to service providers.
Who will have to deal with it?
The new directive does not only apply to governments or energy companies. It also covers organizations in sectors such as healthcare, ICT, education, transportation, financial services, food and waste management. In addition, NIS2 explicitly targets suppliers to these organizations. Do you provide services or software to a party subject to NIS2? Then the requirements indirectly apply to you as well.
It distinguishes between:
- Essential entities - for example, government organizations, telecom, energy or healthcare.
- Key entities - such as ICT service providers, manufacturing companies, data centers and transportation companies.
For both groups, you need to demonstrate that you have taken measures to mitigate cyber risks and can handle incidents effectively.
The Cybersecurity Act (CBW).
In the Netherlands, NIS2 is being translated into national legislation: the Cyber Security Act (CBW). The effective date is expected to be the second quarter of 2026, once the law is finalized by parliament.
The CBW determines which organizations are covered by the law, who supervises (such as the Telecom Agency and sectoral regulators) and what penalties can be imposed. Fines can be substantial, but the main goal is awareness and prevention.
No certification, yes compliance
There is no official NIS2 certification. However, organizations must be compliant, that is, demonstrably meeting the requirements of the directive and national law.
This means concretely:
- Structurally identify risks and establish control measures.
- Secure governance and accountability within the board.
- Report incidents to the appropriate authority within 24 hours.
- Establish chain agreements with suppliers on security and reporting.
- Regularly review whether policies and measures are still effective.
A ISO 27001-certification helps tremendously in this regard. The ISO standard provides a practical framework (ISMS) with which you already cover many NIS2 requirements. From that foundation, you can add the specific obligations of NIS2.
Why you should start now
Implementing the Cybersecurity Act may seem a long way off, but it takes time to get processes, responsibilities and systems in place. In practice, waiting until the law is in place often means starting too late.
With an NIS2 assessment, you gain insight into the current state of affairs and see immediately what steps are needed towards compliance. This allows you to take timely measures and avoid surprises during future audits or supervision.
Start with NIS2 compliance
NIS2 is important because it strengthens the digital resilience of the Netherlands - not only for large organizations, but for the entire chain. It calls for structural attention to information security, governance and risk. By working on NIS2 compliance now, you not only increase your security, but also the trust of customers and partners.
Schedule a free, no-obligation 45-minute consultation or take the free NIS2 check to find out where your organization stands now and what steps are needed toward compliance.
