What is NIS2 and what does it mean for you?
The NIS2 Directive (Network and Information Security 2) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It significantly expands the scope of organisations required to implement cybersecurity measures and report incidents.
NIS2 applies to medium and large organisations across 18 critical sectors. It introduces mandatory security requirements based on Article 21, covering everything from risk analysis and incident handling to supply chain security and encryption.
Non-compliance carries substantial fines and, crucially, NIS2 makes management bodies personally accountable for ensuring cybersecurity measures are implemented.
🇳🇱 Netherlands Context
The Netherlands is transposing NIS2 into the Cyberbeveiligingswet (Cbw), targeting entry into force on 1 July 2026. The bill is currently in Tweede Kamer debate. The Rijksinspectie Digitale Infrastructuur (RDI) will be the primary regulator. Key dates: 1 July 2026 (Cbw in force), 1 January 2027 (basic compliance required), 1 July 2027 (first reporting deadline). Note: phased enforcement is likely — different provisions may take effect at different times, and a shortened transition period is expected given the significant delay past the original Oct 2024 deadline. Do not assume a long grace period.
Key changes from previous regime
- The Cbw replaces the Wet beveiliging netwerk- en informatiesystemen (Wbni) with significantly broader scope
- Approximately 8,000 Dutch organisations will fall under NIS2, compared to ~350 under Wbni
- Management bodies are personally liable for ensuring compliance (Art. 20)
- Fines up to €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities
- Mandatory incident reporting to NCSC within 24 hours (early warning) and 72 hours (full notification)
The 10 NIS2 Security Requirements
Article 21 of NIS2 defines 10 areas of cybersecurity measures that organisations must implement.
Risk Analysis & Information Security Policies
NIS2 requires organisations to establish and maintain documented policies for risk analysis and information system security. Senior management must approve these policies and take active accountability for cybersecurity risk management.
- Draft and formalise an information security policy aligned with ISO 27001 or a national framework
- Establish a risk assessment methodology and conduct an initial assessment
- Create a risk register with treatment decisions and assigned owners
- Set an annual policy review schedule with defined ownership
- Implement regular cybersecurity reporting to the management body
Incident Handling
Organisations must have documented incident response procedures with clear roles, 24/7 detection capability, and the ability to notify the relevant CSIRT within NIS2 timeframes (24h early warning, 72h full notification, 1-month final report).
- Develop an incident response plan covering detection, triage, containment, eradication, and recovery
- Define an incident response team with named roles and escalation procedures
- Implement continuous monitoring through a SIEM or managed detection service
- Schedule annual tabletop exercises and document lessons learned
- Pre-draft CSIRT notification templates aligned with NIS2 timelines
Business Continuity & Crisis Management
Organisations must maintain business continuity and disaster recovery plans, ensure critical systems are backed up with tested restoration, and have a crisis management framework with clear decision-making authority.
- Develop a business continuity plan (BCP) and IT disaster recovery plan (DRP)
- Conduct a business impact analysis to identify critical functions and dependencies
- Implement automated backups with off-site storage and quarterly restoration tests
- Schedule annual BCP/DRP tests including failover drills
- Establish a crisis management team with defined authority levels and communication templates
Supply Chain Security
NIS2 requires organisations to manage security risks from their supply chain, including maintaining supplier inventories, embedding cybersecurity requirements in contracts, and conducting due diligence assessments.
- Create and maintain a supplier register classified by criticality
- Update supplier contracts with cybersecurity clauses, breach notification, and audit rights
- Implement a supplier security assessment process with standardised questionnaires
- Establish ongoing supplier monitoring and threat intelligence tracking
- Develop contingency plans for critical supplier failures
Network & Information Systems Security
Security requirements must be integrated into system acquisition, development, and maintenance. Organisations need vulnerability management programmes, secure development practices, and coordinated vulnerability disclosure policies.
- Integrate security requirements into procurement and SDLC processes
- Deploy vulnerability scanning tools with defined patch management SLAs
- Adopt a secure SDLC framework with security activities at each development phase
- Create and publish a vulnerability disclosure policy (security.txt)
- Apply CIS Benchmarks or equivalent hardening guides to all systems
Effectiveness Assessment
Organisations must have policies and procedures to measure and assess the effectiveness of their cybersecurity controls, including regular audits, penetration testing, and a continuous improvement loop.
- Define cybersecurity KPIs and implement measurement dashboards
- Schedule annual cybersecurity audits (internal or external)
- Engage qualified penetration testers for annual assessments of critical systems
- Implement a findings tracker with owners, deadlines, and management reporting
- Establish a formal lessons-learned process after incidents, audits, and tests
Cyber Hygiene & Training
All employees must receive cybersecurity awareness training. NIS2 Article 20 explicitly requires management body members to undergo cybersecurity training. Organisations should also conduct phishing simulations and enforce basic cyber hygiene.
- Implement a cybersecurity awareness training programme with annual refreshers
- Provide tailored training for management body members (NIS2 Art. 20 requirement)
- Deploy phishing simulations at least quarterly
- Define and enforce a cyber hygiene policy with technical controls
- Provide role-based security training for staff in critical positions
Cryptography & Encryption
Organisations must have policies governing the use of cryptography, ensure data is encrypted at rest and in transit, manage cryptographic keys securely, and phase out deprecated algorithms.
- Draft a cryptography policy specifying approved and prohibited algorithms
- Enable encryption at rest using AES-256 for all sensitive data stores
- Enforce TLS 1.2+ on all external-facing services
- Implement a key management solution with defined lifecycle procedures
- Audit all systems for deprecated algorithms and create a migration plan
HR Security, Access Control & Asset Management
NIS2 requires a complete IT asset inventory, role-based access control with least privilege, regular access reviews, and formal onboarding/offboarding procedures with appropriate background checks.
- Implement an asset inventory covering all hardware, software, and data assets
- Review and implement role-based access control (RBAC) with least privilege
- Conduct periodic access reviews (quarterly for privileged, semi-annually for standard)
- Define which roles require background checks and integrate into hiring
- Document onboarding and offboarding checklists with automated deprovisioning
Multi-Factor Authentication & Secure Communications
MFA must be enforced for all critical systems, administrative accounts, and remote access. Organisations need secured communication channels and an out-of-band emergency communication system for cyber incidents.
- Deploy MFA across all critical systems, prioritising phishing-resistant methods (FIDO2)
- Enable MFA on all remote access points (VPN, cloud, remote desktop)
- Deploy end-to-end encrypted solutions for sensitive communications
- Establish an out-of-band emergency communication channel
- Review authentication mechanisms annually against current threats