1. What exactly is NIS2?

The NIS2 Directive is the renewed European legislation for cybersecurity. The goal is simple: to make organizations more resistant to cyber attacks, that incidents are reported more quickly and that digital resilience across Europe increases. The directive builds on previous NIS legislation, but takes a larger and stricter approach.

That is why many entrepreneurs are looking for a clear NIS2 explanation: what is NIS2, why is that legislation coming into force, what exactly does NIS2 stand for and when will NIS2 come into effect?

In the Netherlands, the directive is incorporated into the new Cybersecurity Act. That law was delayed, so that the entry into force was postponed to Q2 2026. The obligations will therefore not apply tomorrow, but the status is clear: NIS2 is coming and organizations should soon be able to demonstrate that they take cybersecurity seriously.

2. When does your SME fall under NIS2?

Many SMEs ask themselves: when is NIS2 mandatory for me? The answer starts with the sectors. The directive has two groups: essential sectors and key sectors. Think of healthcare, energy, ICT service providers, transport companies, water management, cloud providers and digital infrastructure.

In addition, NIS2 looks at size:

‍

• more than 50 employees, whether
• more than 10 million euros in turnover.

In that case, you are in principle subject to the legislation, unless you are in a non-relevant sector. But for SMEs, one category in particular is crucial: suppliers in the chain.

For example, are you a hardware supplier of network components at a hospital? Then you can still fall under the NIS2 legislation, because your services have a direct impact on the continuity of others. This will be the largest group in SMEs.

3. How do you know who NIS2 applies to?

There is no magic checklist. But you can ask yourself three honest questions:

1. Do we provide products or services that others depend on for their continuity? Think of applications, cloud environments, security services, infrastructure, hosting or links.
2. Are you part of a chain that does include companies subject to NIS2? Large organizations will set requirements for their suppliers. Even if you are not officially covered by the law yourself, you may be required to take NIS2-like measures.
3. Are you yourself a major or social risk when your organization goes down? For example, due to critical functions, large customer volumes or a strong dependence on your services.

If you answer “yes” to any of these questions, there is a good chance that you will be dealing with the NIS2 directive (directly or due to chain responsibility).

4. What should you do if you fall under NIS2?

The question “how to comply with NIS2?” often gets a long answer, but if we want to keep it brief, it's about five parts. In any case, you must register your organization as a NIS2 entity, provided that you are (registration requirement).

1. Risk analysis and policy

Insight into threats, vulnerabilities and measures. NIS2 expects organizations to structurally assess risks and draw up policies. Read here how to get a risk analysis executes.

‍

2. Technical security

From patch management and monitoring to access control, encryption and detection. The directive is strict on basic security. A lot can be overcome with an ISO 27001 implementation — you can read here our white paper more about.

‍

3. Notification obligation in case of incidents

Within 24 hours, you must report serious incidents to the National Cyber Security Center (or the relevant supervisor).

‍

4. Training and awareness

Employees are a big risk, so it is a mandatory part of the law to pay attention to awareness, for example by Guardey.

‍

5. Supplier management and chain responsibility

You must demonstrate that suppliers do not weaken your cybersecurity level. This affects almost every SME.

ISO 27001 connects to this logically. It offers structure, demonstrability and a good basis for compliance.

5. What does NIS2 mean in concrete terms for you as an SME?

Even if your company does not formally fall under NIS2 legislation, you will still have to deal with it. Large organizations pass the requirements on to suppliers. Cyber insurers are becoming more critical. Offers and tenders are increasingly asking for proof of cybersecurity measures.

In short: NIS2 affects SMEs anyway. Or as an obligation, or as a market development.

6. How to get started with NIS2?

Start small, start smart. One free gap analysis is a logical first step. This gives you immediate insight into where you are and what measures are necessary. This is followed by the implementation: documentation, processes, technology, training, supplier management — everything you need to comply with the NIS2 directive.

For demonstrability, for example, you can opt for ISO 27001 as an information security framework, which allows you to apply the NIS2 (read here about the differences and similarities with NIS2) or the NIS2 Supply Chain Certificate. This way, you are transparent with customers and ready for the future.

The NIS2 for SMEs

NIS2 sounds big and complicated, but for most SMEs, it comes down to three things:

• Organize your safety.
• Define clear processes and responsibilities.
• Demonstrate that you take cybersecurity seriously.

Whether or not you are formally covered by the law, now is the time to make your organization more resilient and ready for the future.

Free consultation

Do you want to know for sure where your organization is located? Schedule an informal consultation below. Together, we will look at where the risks lie, what steps are necessary and guide you in how to implement this smartly and practically.

Would you prefer to continue reading for yourself? Our news & insights page is full of useful explanations, downloads and practical examples.

‍