Does your organisation comply to NIS2?

NIS2 is the second Network- and Information Security guideline, a European law that aims to imrpove the security and resilience of network- and information systems within the EU.

NIS2 relates to a broad variety of organisations, under which 'essential' and 'important' service providers. Even if your organisation does not belong to these categories, chances are that you will still be held accountable within the supply chain. It is possible that a customer demands compliance, even if you are technically not subjected to NIS2. The goal of NIS2 is to increase the cyberresilience of organisations within the EU.

• Duty of care - Organizations are expected to conduct their own risk assessment. Based on this assessment, they can determine which measures are necessary to best ensure the continuity of their services and to protect the information they use. Within the various sectors covered by NIS2, additional requirements are imposed regarding the duty of care. For government organizations, this includes compliance with the Baseline Information Security Government (BIO) 2.0 framework.
• Mandatory reporting - When an incident occurs, organizations are required to report it to the relevant supervisory authority within 24 hours. This applies to incidents that significantly disrupt—or could disrupt—the continuity of services provided by essential entities. In the case of a cyber incident, the organization must also report it to the Computer Security Incident Response Team (CSIRT), which can provide assistance and support. Factors that may make an incident reportable include the number of people affected, the duration of the disruption, and the potential financial losses involved. Thresholds and criteria for specific sectors will be further defined in supplementary regulations.
• Supervision - Organizations that fall under the NIS2 directive are also subject to mandatory supervision. The directive requires that an independent supervisory authority monitors compliance with the obligations outlined in the directive, such as the duty of care and the incident reporting obligation. For government organizations, the Dutch Authority for Digital Infrastructure (RDI) has been designated as the supervisory body. When overseeing NIS2 compliance within the public sector, the RDI will make use of existing accountability structures to help minimize administrative burdens related to supervision.

Non-compliance with the NIS2 requirements can result in sanctions, including substantial fines. The exact penalties vary by EU member state.

To comply with NIS2 requirements, you must implement appropriate security measures, develop an incident response plan, conduct regular security audits, and report incidents. Let us help you with this process.

The implementation of and compliance with NIS2 has been delayed but is expected to be conducted in Q2 of 2026. The directive does however already grant rights to entities that are subjected to NIS2, but there is not jet a legal obligation to comply. 

Within the sectors covered by the NIS2 directive, additional regulations specify how the duty of care should be implemented in more detail. For the public sector, this is done through the Baseline Information Security for Government (BIO). In other sectors, different standards may apply—for example, NEN 7510 for the healthcare sector. These standards are determined by the responsible ministries.

Suppliers that provide products or services to entities covered by the NIS2 directive may independently fall under its scope, but this is not automatically the case. However, entities subject to NIS2 are required—under their duty of care—to assess the security of their supply chain. As a result, a supplier can expect that a NIS2-regulated entity may request information about the cybersecurity measures the supplier has in place and/or set specific security requirements for them.

Entiteiten die onder de NIS2 vallen hebben in het kader van de zorgplicht wel een verplichting om de beveiliging van de toeleveringsketen in kaart te brengen. Een leverancier kan dus verwachten dat een NIS2-entiteit informatie opvraagt over de maatregelen die de leverancier neemt ten aanzien van cyberrisico’s en/of hier zelf eisen aan stelt.

NIS2 does not introduce new liabilities for public sector executives beyond what already existed. However, this does not mean that there is no liability at all within public institutions. Currently, executives can already be held liable in cases of gross negligence, for example. Furthermore, liability of public officials is separate from the political responsibilities that exist within governmental bodies. The NIS2 directive does include a provision regarding executive liability in cases of non-compliance with its obligations. However, this provision does not directly apply to public sector entities. The directive explicitly states that it does not affect national laws concerning the liability of civil servants and elected or appointed public officials.

De NIS2-richtlijn bevat een bepaling over de aansprakelijkheid voor bestuurders in het geval van niet-nakomen van verplichtingen van de richtlijn. Deze bepaling is niet direct van toepassing op overheidsinstanties. De NIS2-richtlijn geeft namelijk aan dat geen afbreuk kan worden gedaan aan nationaal recht inzake aansprakelijkheid van ambtenaren en gekozen of benoemde overheidsfunctionarissen.