NIS2 Directive: does it apply to your business and what do you need to arrange?

The NIS2 directive (Network and Information Security Directive 2) is the European Union's updated cybersecurity legislation. It replaces the original NIS directive from 2016 and significantly expands both the scope and the requirements. For many Dutch businesses, this means new obligations around cybersecurity, risk management and incident reporting.

In this article we explain what NIS2 is, whether your organisation falls under it, what you need to arrange and how to prepare — step by step.

What is the NIS2 Directive?

NIS2 is a European directive that requires EU member states to implement stricter cybersecurity rules into national law. The directive was adopted by the European Parliament in November 2022 and member states were given until October 2024 to transpose it into national legislation.

In the Netherlands, the implementation is handled through the Cyberbeveiligingswet (Cybersecurity Act), which is expected to come into force during 2025.

The goals of NIS2 are clear:

• Raise the overall level of cybersecurity across the EU
• Harmonise requirements between member states
• Improve incident reporting and cross-border cooperation
• Strengthen supply chain security
• Increase accountability of management

Who does NIS2 apply to?

NIS2 significantly expands the number of organisations that fall under cybersecurity regulation. The directive distinguishes between two categories:

Essential entities

These are organisations in sectors deemed critical to society:

• Energy — electricity, gas, oil, district heating
• Transport — air, rail, water, road
• Banking and financial infrastructure
• Healthcare — hospitals, laboratories, pharmaceutical companies
• Drinking water supply and waste water
• Digital infrastructure — DNS providers, data centres, cloud services, internet exchange points
• ICT service management — managed service providers (MSPs), managed security service providers (MSSPs)
• Public administration
• Space

Important entities

These are organisations in sectors that, while not critical infrastructure, are still important to the economy:

• Postal and courier services
• Waste management
• Chemical manufacturing and production
• Food production and distribution
• Manufacturing — medical devices, electronics, machinery, motor vehicles
• Digital providers — online marketplaces, search engines, social platforms
• Research organisations

Size thresholds

Generally, NIS2 applies to organisations in these sectors that meet the following criteria:

Important exceptions: Some organisations fall under NIS2 regardless of size, including DNS providers, TLD registries, digital infrastructure providers and entities that are the sole provider of a critical service in a member state.

Supply chain implications

Even if your organisation doesn't directly fall under NIS2, you may be affected indirectly. NIS2 requires covered entities to manage cybersecurity risks in their supply chains. This means your clients may require you to meet certain security standards as a condition of doing business.

What are the key requirements?

NIS2 imposes obligations in four main areas:

1. Risk management measures

Organisations must implement appropriate technical, operational and organisational measures to manage cybersecurity risks. At minimum, this includes:

• Risk analysis and information security policies
• Incident handling — prevention, detection and response
• Business continuity — backup management, disaster recovery, crisis management
• Supply chain security — assessing and managing supplier risks
• Security in network and system acquisition, development and maintenance
• Policies for assessing the effectiveness of measures — regular testing and auditing
• Cryptography and encryption
• Human resource security — access control, asset management
• Multi-factor authentication and secure communication

2. Incident reporting

NIS2 introduces strict incident reporting obligations:

Incidents that must be reported are those that have or could have a significant impact on the provision of services. This includes incidents affecting availability, integrity or confidentiality.

3. Management accountability

This is a significant change from the original NIS directive. Under NIS2, management bodies (board of directors, executive management) must:

• Approve the cybersecurity risk management measures
• Oversee their implementation
• Be held liable for non-compliance
• Undergo cybersecurity training

Management can no longer delegate cybersecurity to the IT department and consider it handled. They are personally accountable.

4. Registration and cooperation

Organisations must register with the relevant national authority and cooperate with supervisory bodies during inspections and audits.

Timeline and enforcement

When does it take effect?

• November 2022 — Directive adopted by EU
• October 2024 — Deadline for national transposition (most member states, including the Netherlands, are delayed)
• 2025 — Expected entry into force of the Dutch Cyberbeveiligingswet
• 2025-2026 — Transition period for organisations to comply

Penalties

NIS2 introduces significant penalties for non-compliance:

Additionally, management can be held personally liable, and supervisory authorities can impose temporary bans on exercising managerial functions.

How to prepare: 7 steps

Step 1: Determine if NIS2 applies to you

Check whether your organisation operates in one of the covered sectors and meets the size thresholds. Also consider whether your clients are covered entities that may impose requirements on your organisation.

Step 2: Conduct a gap analysis

Compare your current security measures against the NIS2 requirements. Identify what you already have in place and what needs to be improved. Key areas to assess:

• Risk management policies and procedures
• Incident detection and response capabilities
• Business continuity and backup strategy
• Supply chain risk management
• Access control and authentication (MFA)
• Employee awareness and training

Step 3: Get management on board

NIS2 requires management accountability. Ensure your board or executive team understands the implications, approves the security strategy and allocates the necessary budget.

Step 4: Implement technical measures

Based on your gap analysis, implement the required technical controls:

• Multi-factor authentication on all critical systems
• Endpoint protection and monitoring
• Network segmentation and firewall management
• Encryption for data at rest and in transit
• Logging and monitoring for incident detection

Step 5: Establish incident response procedures

Create and document your incident response plan, including:

• How to detect and classify incidents
• Who to notify (internal and external)
• How to meet the 24-hour and 72-hour reporting requirements
• Post-incident review process

Step 6: Address supply chain security

Map your critical suppliers and assess their security posture. Include cybersecurity requirements in contracts and conduct periodic reviews.

Step 7: Document and test

Document all policies, procedures and measures. Conduct regular tests — including penetration tests, phishing simulations and disaster recovery exercises — and keep records for audit purposes.

How ISO 27001 helps with NIS2 compliance

If your organisation is already ISO 27001 certified — or works with a certified IT partner — you have a significant head start. ISO 27001 covers many of the same areas as NIS2:

Virtual Computing is ISO 27001 certified, which means our infrastructure, processes and management already meet these standards. Clients who host their IT with us benefit from this compliance foundation.

NEN 7510 for healthcare

For healthcare organisations, the Dutch NEN 7510 standard adds additional requirements for handling medical data. NIS2 covers healthcare as an essential sector, making NEN 7510 compliance more important than ever. Virtual Computing holds NEN 7510 certification, making us a suitable partner for healthcare organisations navigating both NIS2 and sector-specific requirements.

Frequently asked questions

Does NIS2 apply to small businesses?

Generally, NIS2 targets medium and large organisations. However, certain types of organisations fall under NIS2 regardless of size — including DNS providers, digital infrastructure and sole providers of essential services. Additionally, supply chain requirements may affect smaller businesses indirectly.

What's the difference between essential and important entities?

Essential entities face stricter supervision (proactive) and higher penalties. Important entities are supervised reactively — meaning authorities act after an incident or complaint rather than conducting routine inspections.

Can I be personally liable as a director?

Yes. NIS2 explicitly states that management must approve and oversee cybersecurity measures. Directors can be held personally liable for non-compliance, and authorities can impose temporary bans on exercising management functions.

How does NIS2 relate to the GDPR?

NIS2 and the GDPR are complementary. GDPR focuses on protecting personal data, while NIS2 focuses on the security of networks and information systems. An incident can trigger obligations under both regulations — for example, a data breach requires GDPR notification to the Data Protection Authority AND NIS2 incident reporting to the cybersecurity authority.

Do I need to be certified to comply with NIS2?

NIS2 does not explicitly require certification. However, implementing an information security management system based on ISO 27001 is widely regarded as the most effective way to demonstrate compliance. Working with an ISO 27001-certified IT partner also provides a strong foundation.

What if the Dutch law isn't in force yet?

The EU directive is already adopted and sets the requirements. Even if national implementation is delayed, the direction is clear. Organisations should prepare now rather than wait — not least because achieving compliance takes months, not days.

Can I outsource NIS2 compliance?

You can outsource the implementation and management of security measures to a managed IT services provider, but accountability remains with your organisation's management. Choose a partner that is certified and can demonstrate compliance — like Virtual Computing.

What is the first step I should take?

Start with a gap analysis. Compare your current security posture against the NIS2 requirements and identify the areas that need improvement. If you're unsure where to start, contact us for a free assessment.

Get ahead of NIS2

Don't wait until the legislation is enforced. Start preparing now and turn compliance into a competitive advantage. Organisations that can demonstrate strong cybersecurity will increasingly win trust — from clients, partners and regulators.

Virtual Computing helps SMBs across the Netherlands achieve and maintain the security standards required by NIS2. With ISO 27001 and NEN 7510 certification, we provide the expertise and infrastructure you need.

Get in touch for a free NIS2 readiness assessment, or become a client and let us handle your IT security and compliance.