The NIS2 Directive entered into force across EU member states in October 2024, and the Netherlands has transposed it through the Cyberbeveiligingswet. If your organisation operates in one of the sectors covered by the directive — energy, transport, banking, health, digital infrastructure, managed services, and several others — you are now subject to obligations that go significantly further than NIS1 did.
The challenge for most organisations isn't understanding that NIS2 exists. It's understanding what specifically is required and in what order to address it. The directive is principle-based rather than prescriptive, which is intentional — it gives organisations flexibility but also demands judgment about what "appropriate and proportionate" security measures actually means for your specific context.
What NIS2 Actually Requires
The core obligations break down into three areas:
- Risk management measures: organisations must implement security policies covering incident handling, supply chain security, access control, cryptography, business continuity, and HR security. These aren't new concepts, but NIS2 makes them legally required and auditable.
- Incident reporting: significant incidents must be reported to the national authority (NCSC-NL in the Netherlands) within 24 hours of discovery, with a full report within 72 hours. This is stricter than most organisations' current incident management processes.
- Management accountability: NIS2 explicitly holds senior management personally liable for non-compliance. Board members and executives must approve the security measures, be trained on them, and can face personal liability if the organisation fails to meet its obligations.
Where Dutch Organisations Should Start
The most common mistake we see is treating NIS2 as an IT project. It is not. It is a governance and risk management exercise that has significant IT implications. Starting in the technology layer rather than the governance layer produces controls without strategy, and evidence without accountability.
A practical sequence for organisations that are behind:
- Determine your classification. Are you an essential entity or an important entity? The distinction affects the supervisory regime and the penalty scale.
- Conduct a gap analysis against the Article 21 measures. Be honest about what you currently do versus what the directive requires. This gives you a prioritised list of work.
- Get the board involved. NIS2 compliance cannot live only in IT or risk. The management liability provisions mean that executives need to understand and approve the security posture — not just sign off on a policy document.
- Review your supply chain. NIS2 places obligations on how you manage the security of your suppliers and service providers. Most organisations have significant gaps here.
The organisations that are approaching NIS2 seriously are using it as an opportunity to build security disciplines that genuinely reduce risk, not just satisfy a regulator. That is the right instinct, and the framework is well-designed enough to support it.