.png)
More organizations are covered by NIS2
The first NIS directive applied only to vital sectors, such as energy and telecom. NIS2 goes much further. Healthcare institutions, governments, ICT service providers, transport companies, financial institutions and numerous suppliers will soon also fall under the new law. The goal: to strengthen the digital resilience of the entire chain. Because a leak at one supplier can have major consequences for the continuity of other parties.
In concrete terms, this means that thousands of organizations in the Netherlands will soon be required to have their information security demonstrably in order.
New obligations under the Cybersecurity Act
The Cyber Security Act (CBW) makes NIS2 legally enforceable in the Netherlands. This means that covered organizations will soon be required to meet requirements on:
- Risk management: structurally identify risks and take appropriate action.
- Governance: directors bear explicit responsibility for cybersecurity.
- Incident management: serious incidents must be reported within 24 hours.
- Policies and processes: measures must be established, monitored and continuously improved.
- Supplier management: suppliers must also demonstrate safe working practices.
The government will conduct oversight through designated agencies. Those who fail to comply may face fines and corrective action.
NIS2 and ISO 27001: together a strong foundation
Many organizations are already working with ISO 27001 for information security. That's good news because ISO 27001 is closely aligned with the requirements of NIS2. An ISO 27001-certified management system (ISMS) helps you manage risk, secure policies and be demonstrably compliant.
With a few additional steps - such as specific reporting and notification procedures - you can largely meet the requirements of the Cybersecurity Act from ISO 27001. Organizations that don't yet have an ISMS can use NIS2 as a reason to set it up in a structured way.
Demonstrable compliance: not certification, but compliance
There is no official NIS2 certification, but you do have to show that you are compliant. This means that your organization must be able to show in audits or during supervision how risks are managed and security measures are set up. One way to get started is through an NIS2 check or NIS2 audit. This gives you insight into the current situation and shows you where improvements are needed to become compliant.
For suppliers, there is the NIS2 Quality Mark (NIS2 QM) - a seal that shows that you meet the requirements NIS2 organizations set for their partners. This quality mark increases trust in cooperation and makes it easier to demonstrate that you handle information with care.
The impact in practice
For many organizations, the introduction of NIS2 means that cybersecurity is no longer something that "comes with it," but becomes part of the core of corporate policy. Directors must be knowledgeable about risk, teams must establish processes and vendors must provide insight into their level of security.
This requires a structural approach in which policy, technology and people come together. An NIS2 implementation is therefore not only an obligation, but also an opportunity to improve processes and reduce risks permanently.
Demonstrated NIS2 compliance
The NIS2 directive is changing the playing field of cybersecurity in the Netherlands. Organizations must demonstrably operate securely, administrators bear responsibility and chain partners are critically included in the security approach.
By starting an NIS2 check or NIS2 assessment now, you will gain insight into where your organization stands and what is needed to become compliant before the Cybersecurity Act takes effect.
Schedule a free, no-obligation 45-minute consultation to discover where your organization stands and how we can help implement NIS2 in the Netherlands.
