NIS2: when mandatory?

The European NIS2 Directive has been in force since early 2023, but each EU country must implement the rules into national law themselves. In the Netherlands, this is done via the Cybersecurity Act (CBW). The Cybersecurity Act's effective date has now been postponed: the expected entry into force is in the second quarter of 2026, which means that organizations in the Netherlands can already start implementing NIS2 so that they will be ready when the law officially comes into force.

Why that extra time is no reason to wait

The Cybersecurity Act may take some time to come into force, but the requirements of NIS2 compliance require time and attention. Indeed, the directive emphasizes structural risk management, administrative responsibility and cooperation within the chain. Whether you work for a municipality, healthcare institution, ICT service provider or SME: chances are that your organization will soon fall under the law or will have to comply with NIS2 organizations as a supplier.

What exactly will change with the NIS2 entry into force?

The arrival of NIS2 ensures that cybersecurity becomes a legal obligation. Major changes include:

• Administrative responsibility: directors are personally responsible for cybersecurity.
• Notification obligation: serious incidents must be reported within 24 hours.
• Supplier Management: chain partners must demonstrably work safely.
• Policy Obligation: organizations must document and maintain their security measures.

With the Cybersecurity Act these requirements will become legally binding in the Netherlands. Once the law is active, the supervisor can impose fines on organizations that do not comply with NIS compliance.

ISO 27001's role in NIS2 implementation

Many organizations are already working with ISO 27001. This is a major advantage, because this standard closely matches the requirements of NIS2. A well-appointed SIMS (Information Security Management System) helps with risk management, internal audits, policy and reporting — all components that are also required within the NIS2.

A NIS2 consultant can help determine from ISO 27001 what additional measures are needed to become fully compliant with the Cybersecurity Act. This way, you build on existing processes and prevent duplication of work.

NIS2 Quality Mark: proven reliability

In addition to legal compliance, there is also a need for practical evidence. It NIS2 Supply Chain Certificate (NIS2 SC) is a label for suppliers who work with organizations that fall under NIS2. With this NIS2 label, you demonstrate that your organization meets the most important requirements in the field of information security and NIS2 cybersecurity.

What you can do now: Start with a NIS2 check

The NIS2 entry into force seems to be a while away, but preparation takes time. By doing a NIS2 check now, you know exactly where your organization stands and what steps are necessary for NIS2 compliance.

The Cybersecurity Act is expected in the second quarter of 2026 in effect. Nevertheless, now is the time to start with your NIS2 implementation. The sooner you start, the easier it is for you to meet the requirements of NIS2 and chain responsibility.

Our consultants carry out an NIS2 audit or NIS2 assessment and help organizations implement NIS2 in the Netherlands — from baseline measurement to full compliance process. Do you want to know if your organization meets the requirements of the upcoming Cyber Security Act? Schedule a free, no-obligation 45-minute consultation below.

‍