Contact us directly: T 0318-762620 E info@masero.nl

 

Does your organisation comply to NIS2?

You’ve most likely already heard about it, but you might still be wondering whether NIS2 is relevant to your company. We can give you a simple answer: yes. Even if your company does not fall directly within one of the designated sectors, there is a high chance that you are affected by what is known as chain responsibility. NIS2 goes far beyond a set of guidelines or a simple checklist; it pushes companies to critically examine their cybersecurity at an organisation-wide level. We’re happy to explain what NIS2 entails, which guidelines apply to you, and—most importantly—what you can do to comply with these requirements as quickly as possible.

 

NIS2 manual

 

What is NIS2?

NIS2 is a European directive that defines the cybersecurity measures organisations must take to protect their networks and information. The measures required depend on your sector and on whether your organisation falls into the Essential or Important category. The goal is to strengthen the resilience of the European digital economy and prevent cyberattacks.

Work is currently underway to implement NIS2 into the Dutch Cybersecurity Act (Cbw), which will replace the current Network and Information Systems Security Act (Wbni). The implementation has already been postponed several times and is now expected to take place in the second quarter of 2026.

 

Are you obliged to comply to NIS2?

The Dutch Cybersecurity Act is currently set to come into force in the second quarter of 2026. Once this law is enforced, your company may be required to comply with the NIS2 directive. This might still seem far off, but it is advisable to take action now. The urgency is high, as cyberattacks are becoming increasingly sophisticated and causing more and more damage. In addition, as an organisation you have a duty of care, which means you must take measures to protect your network and information systems against incidents. Failure to meet the NIS2 requirements could result in substantial fines and reputational damage. You could also be held liable for any damages resulting from a cyberattack.

Curious to which sector your organization belongs? Do the (dutch) free check.

 

Voldoet jouw organisatie aan NIS2?

 

Which cybersecurity measures are necessary?

If your organisation belongs to the essential or important category, then you have to comply to several requirements.

  • Security policy: companies must have a solid policy in place that outlines their overall security objectives and measures.
  • Risk management: companies must take appropriate measures to identify, assess, and minimise security risks.
  • Incident management: security incidents must be detected, reported, and handled effectively and efficiently.
  • Business continuity: companies must be able to continue delivering their essential services even in the event of a security incident or disruption.
  • Cooperation with competent national authorities: companies must report security incidents to these authorities and share relevant information.
  • Compliance and audits: companies must be able to demonstrate compliance with NIS2 and be prepared to undergo audits to verify adherence.
  • Cyber awareness: by training employees, they become aware of potential risks and learn how to recognise threats.
  • Appropriate measures: companies must take the necessary steps to ensure the continuity of their services.

Even if your organisation does not belong to the essential or important category, you will still need to take measures due to chain responsibilities. We would like to emphasise that NIS2 should not be seen as an obstacle, but rather as a potential commercial advantage. You can read more about this in our blog NIS2 as business enabler rather than constraining obligation.We also have a clear roadmap for you which tells you in a few simple steps if you are going in the right direction towards NIS2.

 

FAQs

NIS2 is the second Network- and Information Security guideline, a European law that aims to imrpove the security and resilience of network- and information systems within the EU.

NIS2 relates to a broad variety of organisations, under which 'essential' and 'important' service providers. Even if your organisation does not belong to these categories, chances are that you will still be held accountable within the supply chain. It is possible that a customer demands compliance, even if you are technically not subjected to NIS2. The goal of NIS2 is to increase the cyberresilience of organisations within the EU.

  • Duty of care - Organizations are expected to conduct their own risk assessment. Based on this assessment, they can determine which measures are necessary to best ensure the continuity of their services and to protect the information they use. Within the various sectors covered by NIS2, additional requirements are imposed regarding the duty of care. For government organizations, this includes compliance with the Baseline Information Security Government (BIO) 2.0 framework.
  • Mandatory reporting - When an incident occurs, organizations are required to report it to the relevant supervisory authority within 24 hours. This applies to incidents that significantly disrupt—or could disrupt—the continuity of services provided by essential entities. In the case of a cyber incident, the organization must also report it to the Computer Security Incident Response Team (CSIRT), which can provide assistance and support. Factors that may make an incident reportable include the number of people affected, the duration of the disruption, and the potential financial losses involved. Thresholds and criteria for specific sectors will be further defined in supplementary regulations.
  • Supervision - Organizations that fall under the NIS2 directive are also subject to mandatory supervision. The directive requires that an independent supervisory authority monitors compliance with the obligations outlined in the directive, such as the duty of care and the incident reporting obligation. For government organizations, the Dutch Authority for Digital Infrastructure (RDI) has been designated as the supervisory body. When overseeing NIS2 compliance within the public sector, the RDI will make use of existing accountability structures to help minimize administrative burdens related to supervision.

Non-compliance with the NIS2 requirements can result in sanctions, including substantial fines. The exact penalties vary by EU member state.

To comply with NIS2 requirements, you must implement appropriate security measures, develop an incident response plan, conduct regular security audits, and report incidents. Let us help you with this process.

The implementation of and compliance with NIS2 has been delayed but is expected to be conducted in Q2 of 2026. The directive does however already grant rights to entities that are subjected to NIS2, but there is not jet a legal obligation to comply. 

Within the sectors covered by the NIS2 directive, additional regulations specify how the duty of care should be implemented in more detail. For the public sector, this is done through the Baseline Information Security for Government (BIO). In other sectors, different standards may apply—for example, NEN 7510 for the healthcare sector. These standards are determined by the responsible ministries.

Suppliers that provide products or services to entities covered by the NIS2 directive may independently fall under its scope, but this is not automatically the case. However, entities subject to NIS2 are required—under their duty of care—to assess the security of their supply chain. As a result, a supplier can expect that a NIS2-regulated entity may request information about the cybersecurity measures the supplier has in place and/or set specific security requirements for them.

Entiteiten die onder de NIS2 vallen hebben in het kader van de zorgplicht wel een verplichting om de beveiliging van de toeleveringsketen in kaart te brengen. Een leverancier kan dus verwachten dat een NIS2-entiteit informatie opvraagt over de maatregelen die de leverancier neemt ten aanzien van cyberrisico’s en/of hier zelf eisen aan stelt.

NIS2 does not introduce new liabilities for public sector executives beyond what already existed. However, this does not mean that there is no liability at all within public institutions. Currently, executives can already be held liable in cases of gross negligence, for example. Furthermore, liability of public officials is separate from the political responsibilities that exist within governmental bodies. The NIS2 directive does include a provision regarding executive liability in cases of non-compliance with its obligations. However, this provision does not directly apply to public sector entities. The directive explicitly states that it does not affect national laws concerning the liability of civil servants and elected or appointed public officials.

De NIS2-richtlijn bevat een bepaling over de aansprakelijkheid voor bestuurders in het geval van niet-nakomen van verplichtingen van de richtlijn. Deze bepaling is niet direct van toepassing op overheidsinstanties. De NIS2-richtlijn geeft namelijk aan dat geen afbreuk kan worden gedaan aan nationaal recht inzake aansprakelijkheid van ambtenaren en gekozen of benoemde overheidsfunctionarissen.

 

Do you need advice and support?

To comply with NIS2, you need to implement the necessary cybersecurity measures within your organization. We understand that you may not have all the expertise in-house to meet these requirements, and we’re here to support and advise you on the path to compliance. If you’d like more information or want to know how we can assist you, feel free to get in touch with us using the form below.

"*" indicates required fields

Name*
Permissions*
Dit veld is bedoeld voor validatiedoeleinden en moet niet worden gewijzigd.

 

en_GB
nl_NL en_GB