Partner for NIS2 advice, implementation, and management
The NIS2 cybersecurity directive has been in effect since early 2023. NIS2 is an expansion of the existing NIS directive. It applies to more organizations and sets stricter cybersecurity requirements for essential and important service providers in the European Union.
So for many organizations in the Netherlands, NIS2 compliance is a must. We will investigate without obligation and free of charge whether NIS2 applies to your organization, and what you can do to comply.
Trusted by 500+ customers in the Netherlands
Article: The NIS2 guideline: What has changed and what does it mean for your organization?
What is the NIS2 guideline?
The NIS2 Directive, introduced in 2020 and in force at the EU level since Jan. 16, 2023, is a continuation and expansion of the previous EU cybersecurity directive, NIS. It was proposed by the European Commission to build on and remedy the shortcomings of the original NIS directive.
NIS2 aims to improve the security of network and information systems in the EU by requiring providers of critical infrastructure and essential services to implement appropriate security measures and report incidents to the authorities.
Compared to NIS, NIS2 expands the EU-wide security requirements and scope of covered organizations and sectors to improve supply chain security, simplify reporting requirements and enforce stronger measures and sanctions across Europe.
What does 'NIS2' stand for?
NIS2 stands for "Network and Information Security Directive."
NIS2 will become legal in 2026
Member states have until then to transpose the directive into national law. The government aims for the law to come into force in the second quarter of 2026. This means that any organization covered by the directive will then be required by law to comply with its requirements.
The original NIS
The original NIS directive also aimed to raise the level of cybersecurity among EU member states, but implementation encountered problems and resulted in inconsistent efforts across the European Union. In light of increasing cyber threats, the EU Commission proposed NIS2 as a replacement.
10 minimum requirements for NIS2 compliance
The new NIS2 directive requires that essential and important organizations Implement basic security measures to mitigate the danger of some common cyber threats. These include:
Risk assessments and security policies for information systems
Policies and procedures for the use of cryptography and, if relevant, encryption.
Security around the procurement of systems and the development and use of systems. This means having policies for handling and reporting vulnerabilities.
Security procedures for employees with access to sensitive or important data, including data access policies. Involved organizations should also have an overview of all relevant assets and ensure that they are used and handled appropriately.
The use of multi-factor authentication, solutions for continuous authentication, encryption of voice, video and text, and encrypted internal emergency communications, where applicable.
Policies and procedures for the evaluating effectiveness of security measures.
A plan for handling security incidents.
Cybersecurity training and a basic guideline for handling computer systems responsibly.
A plan for managing operations during and after a security incident. This means that backups must be up-to-date. There should also be a plan to ensure access to IT systems and their business functions during and after a security incident.
Security around supply chains and the relationship between the company and the direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.
Which organizations are covered by the NIS2 directive?
Compared to the old NIS guideline, NIS2 applies to significantly more organizations. These are characterized by:
- Activity in essential and important sectors (see image to the right)
- Minimum 50 employees and/or an annual turnover and balance sheet total of at least EUR 10 million
Not sure if NIS2 is applicable to your organization? Do not hesitate to request a free NIS2 Assessment.
Remark:
An organization may still be considered essential or important without meeting the size criteria. For example, when it is critical to the social or economic activity of the Netherlands.
Next steps and deadlines
18/04/2026
Key and essential organizations must complete a verified self-assessment by April 18, 2026.
30/06/2026
The deadline for companies to complete their first external audit for NIS2 compliance is set for June 30, 2026.
17/10/2027
The European Commission shall review the operation of the NIS2 Directive by Oct. 17, 2027.
Requesting NIS2 Quickscan
We are happy to help you with your NIS2 issue.
Margo Sportel
Security Consultant