Stronger digital resilience

The first NIS directive laid the basis for European cooperation in the field of cybersecurity. However, that approach turned out to be too limited. Only vital sectors were covered by the legislation, while other organizations were also victims of cyber attacks.

With NICHE 2 that is about to change. The directive significantly expands the obligations and ensures that many more organizations must actively demonstrate that they have their information security in order. The goal is clear: the strengthening the digital resilience of the Netherlands. Not just at large institutions, but throughout the chain — from suppliers to service providers.

Who will have to deal with it?

The new directive does not only apply to governments or energy companies. This also includes organizations in sectors such as healthcare, ICT, education, transport, financial services, food and waste management. In addition, NIS2 explicitly focuses on suppliers of these organizations. Do you provide services or software to a party subject to NIS2? Then the requirements also apply to you indirectly.

The directive distinguishes between:

• Essential entities — for example government organizations, telecom, energy or healthcare.
• Major entities — such as ICT service providers, manufacturing companies, data centers and transport companies.

The following applies to both groups: you must demonstrate that you have taken measures to limit cyber risks and can handle incidents effectively.

The Cybersecurity Act (CBW)

In the Netherlands, NIS2 is being translated into national legislation: the Cybersecurity Act (CBW). The effective date is expected the second quarter of 2026, as soon as parliament has finally enacted the law.

The CBW determines which organizations fall under the law, who supervises (such as the Telecom Agency and the sectoral supervisors) and which sanctions can be imposed. Fines can be substantial, but the main goal is awareness and prevention.

No certification, but compliance

There is no official NIS2 certification. However, organizations must be compliant, i.e. demonstrably meet the requirements of the directive and national law.

In concrete terms, this means:

• Structurally identify risks and establish control measures.
• Ensuring governance and responsibility within the board.
• Report incidents to the competent authority within 24 hours.
• Make chain agreements with suppliers about security and reporting.
• Regularly assess whether policies and measures are still effective.

One ISO 27001-certification helps enormously with this. The ISO standard provides a practical framework (ISMS) that already covers many NIS2 requirements. From that foundation, you can add NIS2's specific obligations.

‍

Why you should start now

The introduction of the Cybersecurity Act may seem a long way off, but it takes time to get processes, responsibilities and systems in order. In practice, waiting for the law to take effect often means starting too late.

With a NIS2 check you get insight into the current state of affairs and you can immediately see what steps are needed towards compliance. This way, you can take timely measures and prevent surprises during future audits or supervision.

Get started with NIS2 compliance

NIS2 is important because it strengthens the digital resilience of the Netherlands — not just for large organizations, but for the entire chain. The directive requires structural attention to information security, governance and risks. By already working on NIS2 compliance, you will not only increase your safety, but also the trust of customers and partners.

Schedule a free, no-obligation 45-minute consultation or do the free NIS2 check to discover where your organization is now and what steps are needed towards compliance.

‍