NIS2: What It Means and Who It Applies To 

What is the NIS2 Directive? 

The NIS2 Directive is part of the new EU Cybersecurity Strategy. Its goal is to strengthen the overall digital resilience of critical organisations across the EU. Unlike its predecessor, which applied to a limited number of sectors, NIS2 has a much broader scope. 

The directive places a strong focus on: 

• Cybersecurity risk management and a set of best-practice cybersecurity requirements   

• Managing business continuity in regard to cyber risks   

• Managing third parties dependencies in relation to cybersecurity risks   

• Obligatory reporting of significant cybersecurity incidents   

• Board-level accountability for managing risk and overseeing compliance 

• Supervision by regulatory organizations where non-compliance can result in severe penalties, up to €10 million or 2% of global annual turnover 

Who Does NIS2 Apply To? 

Compliance with the NIS2 directive is a requirements for two categories of organisations: 

1. Essential entities: organisations in sectors such as energy, healthcare, transport, banking, and digital infrastructure. 
2. Important entities: organisations in sectors including postal services, chemicals, food production, ICT services, and certain manufacturing industries. 

Company size also plays a role: generally, medium and large organisations fall under NIS2, while micro and small companies are excluded, unless they perform a critical function. 

NIS2 in The Netherlands 

The Netherlands is implementing NIS2 through the upcoming Cyberbeveiligingswet, which is currently under review by parliament. The latest expectations include: 

• Entry into force: second half of 2026 (probably July 17^th). 

• Supervisory authority will be placed with the National Cyber Security Centrum 

It is anticipated that hundreds, and possibly thousands, of additional organisations will be brought under NIS2 requirements through the mandatory management of cybersecurity risk in third party dependencies. Meaning, organizations that do not directly fall under the categories of essential or important entities may still face NIS2 Cybersecurity requirements from clients and partners that DO fall under NIS2 and are required to manage cybersecurity risk in this partnerships. 

What You Should Do Now 

If you are unsure whether your organisation must comply with NIS2, now is the time to act: 

1. Determine whether you fall under the directive and/or what clients and partners may fall under the new directive.
2. Conduct a gap analysis of your current cybersecurity measures against the requirements from the NIS2.
3. Develop an implementation roadmap to achieve compliance.
4. Train employees and involve top management to establish clear ownership and responsibilities.
5. Prepare for reporting and registration obligations.

Certification Experts can support you in each step, from initial analysis and strategic advice to full implementation and compliance monitoring. 

Be Ready for NIS2 with Certification Experts 

NIS2 will have a far-reaching impact on many organisations. Our experts help you identify your obligations, strengthen your cybersecurity posture, and ensure compliance with all NIS2 requirements. 

Get in touch with our team today to assess your situation and prepare your organisation for the upcoming changes.