More organizations are covered by NIS2

The first NIS directive only applied to vital sectors, such as energy and telecom. NIS2 goes much further. Healthcare institutions, governments, ICT service providers, transport companies, financial institutions and numerous suppliers will also fall under the new law. The goal: to strengthen the digital resilience of the entire chain. Because a leak at one supplier can have major consequences for the continuity of other parties.

In concrete terms, this means that thousands of organizations in the Netherlands will soon be obliged to demonstrably have their information security in order.

New obligations under the Cybersecurity Act

The Cybersecurity Act (CBW) makes NIS2 legally enforceable in the Netherlands. This means that organizations that fall under the directive will soon be obliged to meet requirements in the areas of:

• Risk Management: structurally identify risks and take appropriate measures.
• Governance: directors are explicitly responsible for cybersecurity.
• Incident Management: serious incidents must be reported within 24 hours.
• Policies and processes: measures must be defined, monitored and continuously improved.
• Supplier Management: suppliers must also work demonstrably safely.

The government will supervise through designated bodies. Those who fail to comply may face fines and corrective measures.

NIS2 and ISO 27001: a strong basis together

Many organizations are already working with ISO 27001 for information security. This is good news, because ISO 27001 closely matches the requirements of NICHE 2. An ISO 27001 certified management system (ISMS) helps you manage risks, safeguard policies and be demonstrably compliant.

With a few extra steps — such as specific reporting and reporting procedures — you can largely meet the requirements of the Cybersecurity Act from ISO 27001. Organizations that are not yet SIMS have, can use NIS2 as a reason to set this up in a structured way.

Demonstrable compliance: no NIS2 certification, but compliance

There is no official NIS2 certification, but you must demonstrate compliance. This means that your organization must be able to show in audits or supervision how risks are managed and security measures have been set up. One way to get started is through a NIS2 check or NIS2 audit. This gives you insight into the current situation and shows where improvements are needed to become compliant.

For suppliers, there is the NIS2 Supply Chain Certificate (NIS2 SC) — a label that shows that you meet the requirements that NIS2 organizations set for their partners. This label increases trust in cooperation and makes it easier to demonstrate that you handle information carefully.

The impact of NIS2 in practice

For many organizations, the introduction of NIS2 means that cybersecurity is no longer something “added”, but becomes part of the core of company policy. Directors must be aware of risks, teams must record processes and suppliers must provide insight into their security level.

This requires a structural approach, in which policy, technology and people come together. A NIS2 implementation is therefore not only an obligation, but also an opportunity to improve processes and permanently reduce risks.

Demonstrated NIS2 compliance

The NIS2 directive changes the cybersecurity playing field in the Netherlands. Organizations must demonstrably work safely, directors bear responsibility and chain partners are critically included in the security approach.

By starting a NIS2 check or NIS2 assessment now, you'll gain insight into where your organization stands and what it takes to become compliant before the Cybersecurity Act comes into effect.

Schedule a free, no-obligation 45-minute consultation to find out where your organization stands and how we can help implement NIS2 in the Netherlands.

‍