1. A higher level of cybersecurity across Europe

The first NIS directive from 2016 was a good start, but not sufficient. NICHE 2 provides a uniform level of cybersecurity within all EU member states. This means that organizations in the Netherlands, Germany or France must meet similar requirements when it comes to information security, incident response and risk management. This is good news for international companies: there will be more clarity and consistency. The goal is that the digital economy is better protected against cyber threatsno matter where you're active.

2. More organizations under supervision

Where the original NIS was limited to vital sectors such as energy and water, NIS2 expands its scope considerably. It also now includes healthcare institutions, ICT service providers, transport companies, financial institutions and even suppliers. The idea behind this is simple: the chain is only as strong as its weakest link. A leak at a supplier can have major consequences for an entire sector. By bringing more organizations under supervision, the safer chain as a whole.

3. Clear responsibilities for directors

An important new element within NIS2 is the focus on administrative responsibility. In addition to approving policies, management must be actively involved in risk assessments, decision-making, and incident management. In other words: information security will be a administrative theme, not just something from the IT department. The purpose of this is that cybersecurity is structurally included in the strategy and daily practice of organizations.

4. Compulsory risk management and continuity

NIS2 requires organizations to to identify, assess and manage structural risks. That goes beyond technical security. Think of processes, employee awareness, supplier management and communication in the event of incidents. The goal is for organizations to continuously understand their risks and take measures to limit the consequences of incidents. A well-designed management system — for example, according to ISO 27001 — fits in perfectly with this and helps to meet the requirements of NIS2.

5. Duty to report and cooperation in case of incidents

NIS2 introduces a stricter reporting obligation: significant incidents must be brought in 24 hours are reported to the supervisor. In doing so, the EU wants to gain faster insight into threats and patterns so that it can better respond to new risks. In addition, the directive encourages cooperation between countries, sectors and organizations. By sharing information about cyber threats, incidents can be prevented earlier.

6. Demonstrable compliance through the Cybersecurity Act

There will be no official NIS2 certification, but organizations must demonstrate that they are compliant. The Cybersecurity Act (CBW) specifies who falls under the obligations, how supervision takes place and what the penalties are in case of negligence. The plan is that the law in in the course of 2026 is introduced, after which supervisors will actively monitor. The goal is to encourage organizations to structurally organize their security. One NIS2 assessment helps to determine where your organization is now and what measures are still missing towards compliance.

7. A culture of awareness and collaboration

Perhaps the most important goal of NIS2: a cultural change. Cybersecurity should not be a topic that only occurs after an incident, but should be part of the daily way of working. By raising awareness and stimulating cooperation inside and outside the organization, the digital society becomes safer for everyone.

Taking responsibility

The NIS2 directive is not just about rules, but about responsibility. By emphasizing risk management, governance and chain safety, NIS2 helps organizations to work in a structurally safer way.

If you start a NIS2 implementation now, you will avoid haste when the Cybersecurity Act becomes mandatory. One free NIS2 check immediately shows where your organization stands and how you can take targeted steps towards compliance.

Schedule a free, no-obligation 45-minute consultation to gain insight into the current state of your cybersecurity.

‍