Understanding NIS2

The EU's cybersecurity directive is becoming Dutch law. Here's what you need to know and what you need to do.

NIS2 is the European Union's updated directive on the security of network and information systems. It replaces the original NIS directive from 2016 and significantly raises the bar for how organisations must protect themselves against cyber threats. In the Netherlands, NIS2 is being transposed into the Cyberbeveiligingswet (Cybersecurity Act).

The goal is straightforward: organisations that society depends on, from hospitals to energy companies to IT service providers, must take cybersecurity seriously. Not as an afterthought, but as a core part of how they operate.

Does NIS2 apply to you?

NIS2 casts a much wider net than its predecessor. It applies to organisations in two categories.

Essential entities

Sectors where disruption has high societal impact:

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, road, water)
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure (DNS, data centres, cloud)
  • Banking and financial markets
  • Government services
  • Space

Important entities

Sectors with significant but less critical impact:

  • Postal and courier services
  • Waste management
  • Food production and distribution
  • Manufacturing (medical devices, electronics, machinery)
  • Chemical production
  • Digital service providers (marketplaces, search engines)
  • Research organisations

The general threshold: organisations with more than 50 employees or annual turnover exceeding EUR 10 million. But even smaller organisations can be pulled in, particularly if they're part of the supply chain of an essential or important entity.

Try our NIS2 scope checker for a quick indication →

What does NIS2 require?

The directive comes down to four obligations.

Duty of care

You must take appropriate technical and organisational measures to manage security risks. That means risk assessments, access controls, encryption where needed, backup procedures, incident management, and supply chain security.

"Appropriate" means proportionate to your risks. Not one-size-fits-all, but not optional either.

Incident reporting

Significant security incidents must be reported to the authorities, and the clock starts ticking fast:

  • Within 24 hours: initial alert to the NCSC
  • Within 72 hours: follow-up with more detail
  • Within 1 month: full report including root cause and remediation

Registration

Organisations that fall under NIS2 must register with the National Cyber Security Centre (NCSC). In return, you receive relevant cyber threat intelligence and early warnings about vulnerabilities and threats relevant to your sector.

Board accountability

This is the one that gets attention in the boardroom. Under NIS2, the management board is accountable for cybersecurity. Board members must undergo training on cyber risk, and they can be held personally liable if the organisation fails to meet its obligations.

Penalties

NIS2 has teeth. Non-compliance can result in:

  • Fines up to EUR 10 million or 2% of global annual turnover (whichever is higher)
  • Personal liability for board members
  • Supervisory measures and potential operational restrictions

What should you do now?

Even though the Dutch Cyberbeveiligingswet isn't finalised yet, the direction is clear. Organisations that start now will be ahead of the curve and avoid a last-minute scramble.

  • Determine scope - Assess your sector, size, and role in supply chains to establish whether NIS2 applies to you.
  • Know your position - Where do you stand against NIS2 requirements today? What's already in place, and where are the gaps?
  • Identify the gaps - Look at risk management, incident response, governance, and supply chain oversight.
  • Build a roadmap - Prioritise based on risk and work towards compliance systematically, not all at once.
  • Prepare your board - Ensure leadership understands their responsibilities and is actively engaged.
  • Don't wait - The regulation is coming. Starting early gives you the time to do it right rather than fast.

How EnableNext can help

We help organisations navigate NIS2 from assessment to implementation. Practical, proportionate, and without unnecessary complexity.

  • NIS2 scope assessment - Determine whether and how the directive applies to your organisation.
  • Gap analysis - Measure your current posture against NIS2 requirements and identify what needs attention.
  • Implementation support - Risk frameworks, incident procedures, governance structures, and supply chain management.
  • Board briefings - Help leadership understand what's expected of them under NIS2 in plain language.

Not sure where to start?

Get in touch to discuss your situation, or check if NIS2 applies to your organisation.

Get in Touch NIS2 Scope Checker