What is the NIS2 directive and what does it mean for your business?

The NIS2 directive is a European law designed to strengthen the digital security of companies and organizations across Europe. This directive replaces the original NIS1 regulations from 2016 and introduces more stringent requirements for the security of network and information systems. The NIS2 directive will officially take effect in the second quarter of 2026.

The new directive not only broadens the scope of the law but also imposes stricter requirements on companies, particularly those in critical sectors like energy, healthcare, and digital infrastructure. Importantly, companies outside these primary sectors that are part of the supply chain are also mandated to comply with these new regulations.

Although the implementation of the NIS2 directive in the Netherlands has been postponed to the second quarter of 2026, this does not mean organizations can afford to wait. The obligations remain fully in effect. Organizations in both essential and important sectors are advised to begin preparing now for these heightened cybersecurity requirements.

A postponement is not a cancellation—start today by conducting risk analyses, implementing security measures, and raising security awareness within your organization.

Which sectors does the NIS2 directive apply to?

Similar to the original cybersecurity directives, the NIS2 directive targets companies and organizations in vital sectors. These sectors are crucial to society and the economy and include:

• Energy (electricity, gas, oil)

• Water management

• Transport and logistics

• Healthcare

• Financial institutions (banks, insurers)

• Digital infrastructure (cloud providers, data centers)

• Government services

In addition to these vital sectors, their suppliers are also obligated to implement cybersecurity measures. This means that on top of the approximately 10,000 companies directly covered by the NIS2 directive, an estimated 50,000 companies that supply them must also adhere to stricter digital security requirements.

What are the primary obligations?

1. Stricter security requirements Companies falling under the NIS2 directive must adopt more rigorous security measures for their network and information systems. This requires them to review their existing security policies and enhance them where necessary. This includes updating software, securing systems against cyberattacks, and performing regular risk analyses.

2. Supply chain responsibility One of the key new obligations under NIS2 is supply chain responsibility. This means companies directly under the directive are now responsible for the cybersecurity of their entire supply chain. They must conduct risk analyses on their suppliers and impose appropriate security measures to ensure the entire chain operates securely.

3. Incident reporting obligation Companies are required to report serious cyber incidents, such as data breaches or attacks, to the competent authorities—like the National Cyber Security Centre (NCSC) in the Netherlands—within 24 hours. This enables the government to respond more rapidly to large-scale incidents.

4. Supervision and enforcement The NIS2 directive introduces stricter rules for supervision and enforcement. National supervisory bodies, such as the NCSC, can conduct audits to verify that companies are complying with the directive's requirements. Companies that fail to comply can face substantial fines, up to €10 million or 2% of their global annual revenue.

What is different with this new law?

The main changes compared to the old NIS1 directive are:

• Expanded scope: The NIS2 directive applies to a wider range of sectors and companies, including not only critical infrastructures but also their supply chain partners.

• Stricter security requirements: All companies covered by NIS2 must review and strengthen their cybersecurity policies.

• Supply chain responsibility: Responsibility for cybersecurity now extends throughout the entire supply chain, requiring companies to impose security measures on their suppliers.

• Increased fines and stricter enforcement: Non-compliance can lead to severe financial penalties.

What does this mean for your company?

If your company operates in one of the sectors covered by the NIS2 directive, you must ensure you meet the new requirements. This applies not just to large corporations but also to small and medium-sized enterprises that supply vital sectors.

The principle of supply chain responsibility means you must not only secure your own operations but also collaborate with your suppliers to make the entire chain digitally safe. This may require you to impose additional security measures on your suppliers and subcontractors.

NIS2: what should you do?

To ensure your company complies with the NIS2 directive, you can take the following steps:

1. Verify if your company falls under the NIS2 directive. You can do this by consulting specific information provided by the government.

2. Review your cybersecurity policy. Ensure you meet the stricter security requirements of the NIS2 directive. The government has made a helpful toolkit available for this.

3. Perform risk analyses. Assess the risks within your supply chain and implement measures to mitigate them.

4. Train your employees and suppliers. Ensure that everyone within your organization and its supply chain is aware of cybersecurity measures and knows how to respond to an incident.

5. Establish an incident reporting protocol. Create a clear plan to report incidents swiftly to the competent authorities.

By taking timely action, you can ensure compliance with the NIS2 directive, avoid significant fines, and reduce the risk of damage from cyberattacks.