With evermore elements of our lives guided by digital interactions, the opportunities arise for cyber criminals to cause disruption to essential services and industries. The European Union’s cybersecurity agency ENISA found that 53.7% of recorded cyberattacks in the EU during 2025 were targeting public administration, transport, digital infrastructure and services, finance or manufacturing.
The majority of attacks used phishing (60%) – where criminals pretend to be trusted parties to deceive users into sharing sensitive information – and exploiting vulnerabilities (21.3%) as access vectors, showing why having strict protections in place is so important.
Due to this growing threat, the European Commission introduced an update to 2016’s Network and Information Systems Directive in 2024. The original law required companies in selected sectors to implement security measures and report incidents. NIS2 expanded the scope and strengthened enforcement, obliging relevant companies to reduce risk and improve security.
This article explores how the law is implemented in the Netherlands, how it interacts with the Cybersecurity Act and how to comply with your obligations.
Key takeaways
- NIS2 responds to a rise in EU cyberattacks by expanding the number of in-scope sectors and requiring a risk-based security framework that matches the criticality of your services.
- In-scope organisations must strengthen core controls across incident handling, business continuity, supply chain security, secure-by-design systems, testing, training, encryption and access control for key systems.
- NIS2 tightens incident reporting with staged deadlines, typically an early warning within 24 hours, a notification within 72 hours and a final report within one month, plus updates and customer notifications where disruption is likely.
- Dutch implementation will flow through the Cyberbeveiligingswet, with NIS2 expected to apply in practice from Q2 2026 and with regulators able to request evidence and supervise compliance.
- The EU Cybersecurity Act complements NIS2 by providing EU-wide cybersecurity certification schemes that can help you demonstrate assurance over ICT products and suppliers, but it does not replace your governance duties.
- NIS2 makes cybersecurity a board-level responsibility by requiring management body oversight and allowing significant sanctions for non-compliance, including major fines and potential restrictions on individuals in senior roles.
What is the NIS2 Directive?
The NIS2 Directive creates a framework to strengthen cybersecurity across important and essential sectors within the EU.
Adding to the original NIS Directive, it imposes obligations on around 160,000 in-scope organisations to:
- Undertake a risk management approach to build a security framework that is proportionate to their risk level and the criticality of their services.
- Ensure they have the following in place:
- Risk analysis and security policies
- Incident prevention, detection and response processes
- Business continuity (backups, disaster recovery, crisis management)
- Supply chain and supplier security controls
- Security in acquisition, development and maintenance of systems (so they are secure by design)
- Testing and assurance (for example, audits, assessments, tabletop exercises)
- Basic cyber hygiene and staff training
- Cryptography and encryption where appropriate
- Access control and identity management (including strong authentication for key systems).
- Report significant incidents to the relevant national authority or Computer Security Incident Response Teams (CSIRT) using staged reporting, typically:
- Early warning within 24 hours of becoming aware
- Notification within 72 hours
- Final report within one month
- Plus intermediate updates where required.
- Inform affected service recipients when an incident is likely to disrupt service or materially impact them.
- Cooperate with competent authorities and keep evidence to show to regulators.
The update to the law brought more sectors into scope, with medium and large companies in these areas having to adhere. It also allowed member states to apply the directive to smaller organisations with a high-risk profile. Additionally, it made organisation governing bodies liable for breaches by the entity.
Organisations will now be responsible for addressing cybersecurity risks in their supply chains and national authorities have more scope to supervise implementation and carry out enforcement.
The NIS2 Directive will come into force in the Netherlands from the second quarter of 2026.
Definitions
Here are some terms that you might encounter in your approach to NIS2 and Cybersecurity Act compliance.
| Term | Brief definition |
| NIS2 | The EU Network and Information Security Directive that sets cyber risk management and incident reporting duties for in-scope organisations (classified as essential or important entities). |
| NIS (NIS1) | The earlier EU cybersecurity directive that first introduced baseline security measures and incident reporting for certain operators of essential services and digital service providers, later expanded and strengthened by NIS2. |
| Essential entity | A higher-criticality organisation under NIS2 (typically in sectors like energy, transport, health, digital infrastructure). Authorities supervise these more closely and can apply stronger enforcement. |
| Important entity | An organisation in scope of NIS2 that still has major obligations, but is generally subject to lighter, more reactive supervision than essential entities. |
| Single point of contact (SPOC) | The national coordination function that helps manage NIS2 communication and cooperation across authorities and with other EU countries. |
| CSIRT | A Computer Security Incident Response Team that helps organisations handle incidents and also receives incident notifications under NIS2. |
| NCSC (Netherlands) | The National Cyber Security Centre (Nationaal Cyber Security Centrum), which plays a central role in national cyber coordination and expertise in the Netherlands, including incident response support functions. |
| Cyberbeveiligingswet (Cbw) | The Dutch law intended to implement NIS2 in the Netherlands. |
| Significant incident | A cyber incident that has a material impact, such as serious service disruption or major operational or financial effect, which triggers NIS2 reporting duties. |
| Incident reporting (early warning and notification) | NIS2 requires staged reporting of significant incidents, starting quickly after detection and then followed by more complete reporting as facts become clearer. |
| ENISA | The EU Agency for Cybersecurity, which supports Member States and EU institutions with guidance, coordination, and cybersecurity capability building. |
| EU Cybersecurity Act | The EU regulation that strengthened ENISA’s mandate and created an EU-wide cybersecurity certification framework for ICT products, services, and processes. The European Commission has proposed a new Act to further provide resilience against the “daily cyber and hybrid attacks on essential services and democratic institutions” that Europe experiences. |
Which organisations does NIS2 apply to?
NIS2 applies to organisations in “essential” and “important” sectors, as designated in Annex I and Annex II of the directive, and which meet any of the following criteria:
- A medium-sized organisation with at least 50 employees or an annual turnover or balance sheet total over €10 million. This counts as an important entity.
- A large organisation with more than 250 employees or a net turnover of over €50 million and a balance sheet total of more than €43 million. This counts as an essential entity.
- A micro or small business carrying out any of the following tasks:
- Trust service providers
- Top-level domain name registries
- Domain name registration service providers
- Providers of public electronic communication networks
- Providers of publicly available electronic communications services.
- A micro or small business carrying out services integral to society or the Dutch economy
- A government organisation active in any of the sectors highlighted.
The in-scope sectors are split into “high criticality” and “other critical sectors” in this manner:
- High criticality
- Energy
- Transport
- Banking
- Financial markets infrastructures
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (business-to-business)
- Public administration
- Space
- Other critical sectors
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
Relationship between NIS2 and the EU Cybersecurity Act
| Topic | NIS2 (Directive (EU) 2022/2555) | EU Cybersecurity Act (Regulation (EU) 2019/881) | How they relate in practice |
| Main purpose | Raises the baseline for cybersecurity risk management, incident reporting, governance and supervision for in-scope organisations. | Creates an EU-wide cybersecurity certification framework and strengthens ENISA’s role. | NIS2 tells you what outcomes you must achieve. The Cybersecurity Act provides one EU toolset (certification) that can help you prove and standardise security controls. |
| Who it applies to | “Essential” and “important” entities in defined sectors, plus some size-based rules. Enforcement through Dutch implementing law and regulators. | Applies EU-wide as a framework for certification schemes that vendors and customers can use (not limited to NIS2 sectors). | If you are in scope for NIS2, you may be expected to show stronger assurance over suppliers and systems. EU certification can be evidence of this. |
| Risk management controls | Requires “appropriate and proportionate” measures across areas such as access control, incident handling, business continuity, supply chain security and more. | Defines a European cybersecurity certification framework, with schemes that can set security requirements and assurance levels for ICT products, services and processes. | Certification is a structured way to demonstrate that a product or service meets your security requirements. This can support your NIS2 efforts, especially supply chain controls. |
| Certification specifically | Requires in-scope entities to use ICT products, services and processes certified under European cybersecurity certification schemes under Article 21. | Establishes how EU certification schemes get created and maintained (via ENISA and EU governance structures), including assurance levels used by schemes. | NIS2 can point to Cybersecurity Act schemes as an accepted or required way to demonstrate compliance for certain controls. |
| Supervisory expectations | Regulators can ask for evidence, testing and governance proof (policies, controls, incident records, training, third-party management). | Certification provides standardised evidence for the certified scope, but it does not replace your broader governance duties. | Certification is supporting evidence, not a substitute. You still need to demonstrate NIS2-compliant governance, reporting structures and operational controls. |
NIS2 and Cybersecurity Act timeline
| Date | Legislation | What happened? |
| 2018 | NIS (original) | Member States implemented the first NIS rules through national laws. |
| 27 June 2019 | EU Cybersecurity Act | The Cybersecurity Act entered into force, strengthening ENISA’s mandate and setting up an EU-wide cybersecurity certification framework. |
| 17 October 2024 | NIS2 | Deadline for Member States to transpose NIS2 into national law. The Netherlands was one of 19 member states not to meet this deadline. |
| 2025 (through the year) | NIS2 | EU focus shifted to enforcement pressure for those member states, including infringement steps for late transposition. |
| 20 January 2026 | Cybersecurity Act (revision proposal) | The European Commission published a proposal to revise and amend the Cybersecurity Act. |
| Q2 2026 (expected) | NIS2 (NL implementation) | EU-level rule is already in force, but national implementation will mean in-scope organisations must fulfil their duties. |
| 2026 onward (timing uncertain) | Cybersecurity Act (revision) | The Commission proposal moves through the Parliament and Council. Timing depends on negotiations. |
Why NIS2 is a board-level responsibility
Article 20 of NIS2 places clear duties on organisations’ “management bodies,” which in practice means the board of directors for many in-scope entities. The board must:
- Approve the organisation’s cybersecurity risk management measures
- Oversee how management implements them
- Undertake training so it can understand and challenge the organisation’s approach to compliance.
This includes IT controls, but also other elements already under the board’s remit, such as risk appetite, budgeting, outsourcing, business continuity and the entity’s readiness for incidents.
Failure to meet the required standards can lead to financial sanctions:
- For essential entities, up to €10 million or 2% of global annual turnover (whichever is higher).
- For important entities, up to €7 million or 1.4% of global annual turnover (whichever is higher).
The board is held accountable for non-compliance with NIS2 and regulators can even seek a temporary ban on an individual exercising managerial functions in an essential entity. This personal liability ensures directors maintain effective oversight on the company’s cybersecurity function.
Another possible outcome is that the entity is compelled to make public any compliance violations, leading to reputational risk in addition to financial damage.
Governance and decision-making are central to compliance with NIS2. It is not just about technical controls, but requires leaders to take ownership of the processes and allow for fast escalation of issues and a clear workflow to ensure the right people find out in a timely manner. By setting the risk appetite and clear priorities, you arm management with the tools to comply in a consistent and effective manner.
What organisations must do to become NIS2 compliant
Here are some steps you can take to become NIS2 compliant:
- Confirm whether you are in scope, based on sector and size.
- Brief the board on your obligations under NIS2 and appoint an executive to own the process.
- Map your critical services to understand where incidents would cause material impact.
- Run a gap assessment to understand how prepared you currently are.
- Create a reporting workflow.
- Analyse suppliers for cybersecurity risk.
- Train directors and staff on cybersecurity processes and procedures.
- Carry out tabletop exercises to help stakeholders understand their duties and how an incident may play out.
- Set up evidence gathering and recording processes to show regulators, if required.
How governance software supports NIS2 compliance
By using a governance platform that meets international standards for data protection and information security, you show that you have measures in place to protect your sensitive data and inter-board communications. Opt for a solution which is hosted on EU servers and provides robust access controls, backed up by AES-256 encryption to protect data during storage and transportation.
For example, governance software like iBabs strengthens cybersecurity by:
- Showing clear board oversight in archived documents, as well as recording decisions and actions for evidence.
- Reducing the risk of sensitive business information leaking through strong cybersecurity controls.
- Allowing you to hold emergency board meetings during an incident, bringing together directors remotely when there is not time to get them all to a single location.
- Helping you distribute urgent information to directors quickly and securely within the platform.
We offer a smooth and secure transition from your old tool with full support for historical data transfer and training for your team to ensure you can use iBabs to the fullest. You will also gain access to all features when you sign up; there are no additional tiers to buy into.
FAQ
How is NIS2 different from the original NIS Directive?
NIS2 significantly expands the scope of organisations covered, introduces stricter security requirements and enforcement mechanisms and places direct responsibility on boards and senior executives. It also harmonises rules across Member States to reduce fragmentation.
Does NIS2 apply only to large organisations?
No. While micro and small enterprises are generally (but not always) excluded, many medium-sized organisations fall within scope if they operate in critical or important sectors. Size thresholds are not the only determining factor. Sector and risk exposure also matter.
What are the penalties for non-compliance with NIS2?
Penalties can include significant administrative fines, binding instructions from authorities and, in some cases, temporary bans on executives exercising management functions. National regulators have broad enforcement powers under NIS2.
Can board members be held personally liable under NIS2?
Yes. NIS2 introduces personal accountability for directors and senior management. If boards fail to oversee cybersecurity risk management properly, individuals may face sanctions depending on national implementation.
Conclusion
NIS2 compliance is a pressing urgency for Dutch companies, with the government set to implement the update to the original directive later in 2026. You must encourage your board to take responsibility as they can be liable for lapses in your approach to cybersecurity. Once you ascertain that you are in scope of NIS2, you must ensure you understand your obligations, including:
- Your duty of care to assess the risk your organisation faces and take measure to guarantee services can continue and you have protected data
- Your duty to report incidents within the staged timelines
- Your duty to evidence your compliance to supervisory bodies.
Protect sensitive information with iBabs
A secure board portal like iBabs offers market-leading features to prevent attacks on and leaks of your sensitive board documents and communications, helping you show that you are taking necessary measures to reduce cyber risk.
