Strengthen Your Position in the Supply Chain with Demonstrable NIS2 Compliance

NIS2: from EU Directive to Dutch Legislation

As of October 17, 2024, the NIS2 Directive on network and information system security has been in force throughout the European Union. Starting in Q3 2025, the directive will be transposed into Dutch legislation as the Cyberbeveiligingswet and the Critical Entities Resilience Act (Wwke/CER). Thousands of companies risk losing customers due to insufficient compliance with this crucial cybersecurity directive. But what exactly does NIS2 entail, which sectors are covered, and how can you ensure compliance? You’ll find the answers here.

Achieve NIS2 Compliance with Certification Experts

To effectively comply with the NIS2 Directive, it is essential to implement a future-proof management system. Certification Experts supports you in designing a management system that ensures NIS2 compliance while also addressing other legal requirements relevant to your business. Using SmartManSys, we implement our SMART Methodology efficiently within your organization—ensuring you are future-ready and digitally resilient.

Key NIS2 Requirements

The NIS2 Directive introduces several mandatory requirements that organizations must meet:

• Identify Cyber Risks: Conduct a comprehensive risk assessment and implement risk-based measures to mitigate those risks.
• Manage Supply Chain Risks: Ensure that not only your organization, but also the services provided by your business partners, comply with NIS2 requirements—even if those partners are not directly subject to the directive.
• Incident Reporting Process: Establish a well-structured process to report significant incidents to the relevant sectoral authority within 24 hours.
• Continuous Improvement: Stay in control by continuously evaluating and improving your processes using the Plan-Do-Check-Act (PDCA) methodology.

Which Sectors Fall Under NIS2?

The NIS2 Directive significantly expands its scope by identifying both “essential” and “important” sectors. It primarily targets organizations of public interest or social significance, such as energy, transport, healthcare, infrastructure, and manufacturers of digital devices. Is your organization covered under the Dutch NIS2 legislation?

Essential Sectors:

• Energy: Supply, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen, and EV charging operators
• Transport: Air, rail, road, and water transport (including shipping companies and port facilities)
• Banking and Financial Services: Credit, trading, markets, and financial infrastructure
• Healthcare: Healthcare providers, research laboratories, pharmaceuticals, and medical device manufacturing
• Water: Drinking water suppliers and wastewater management
• Digital Infrastructure and IT Services: DNS, domain name registries, trust services, data centers, cloud computing, electronic communication services, managed services, and managed security services
• Public Administration: Central government (regional and local governments optionally)
• Space: Ground-based infrastructure operators

Important Sectors:

• Postal and courier services
• Waste management
• Chemical production and distribution
• Food production and distribution
• Manufacturers: Medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, and other transport equipment
• Digital providers: Online marketplaces, search engines, social platforms
• Research organizations

What Are Your Organization’s Obligations?

If your organization falls under the NIS2 Directive—or provides services too with entities that do—you must prepare for the new legal obligations. Doing so will increase your organization’s resilience against cyber threats and help you avoid fines and penalties. The obligations are grouped into three main duties:

• Registration Duty: All essential and important entities must register with the National Cyber Security Centre (NCSC)’s entity register.
• Duty of Care: Organizations must comply with ten standard security measures and conduct a risk analysis to determine the necessary steps for compliance.
• Notification Duty: Registered entities must report any “significant incidents” to the Computer Security Incident Response Team (CSIRT) within 24 hours. These include events that cause serious operational disruption or substantial financial losses. Organizations must also investigate and report on these incidents afterward.

Achieving NIS2 Compliance Through International Standards and Best Practices

The path to NIS2 compliance varies by organization and often comes with specific challenges in information security. Use standards such as ISO 27001 or NEN 7510 as a foundation for your compliance strategy. Many of the procedures involved in obtaining these certifications—such as policy development, risk assessments, and audits—also apply to NIS2. Leveraging these standards helps prevent redundant efforts and ensures effective alignment with NIS2 requirements.