Our society runs on digital systems, but they are vulnerable to cyberattacks. Cybercrime is a multi-billion-dollar industry, and criminals use digital weapons as a strategic tool. With the rise of hybrid work and geopolitical tensions, an attack is not a question of if, but when.
That is why the EU is tightening the rules with NIS2. This directive imposes stricter requirements on key organizations and supply chain partners. Failure to comply can lead to heavy fines and great risks.
In this article, we explain what NIS2 means, compare it to the old guideline and provide practical tips for becoming NIS2 compliant.
From NIS to NIS2
NIS2 (Network Information Security 2) is an EU directive to strengthen cyber resilience in Europe. It serves as the basis for national legislation and defines the minimum security measures organizations must take, to whom the rules apply and the consequences of non-compliance.
Directive versus regulation
NIS2 is a directive, not a regulation. This means that EU member states must translate the rules into national legislation, with a mandatory outcome. By October 2024, they must have this in place.
The successor to NIS
Since 2016, the NIS Directive, included in the Netherlands in the Wbni (Wet beveiliging netwerk- en informatiesystemen), has been in force. NIS2 is an expanded update that better reflects current cyber threats and applies to more sectors, such as ICT service providers, manufacturing industry and vital supply chains. In addition, NIS2 introduces a cyber incident reporting requirement and stricter enforcement, requiring member states to actively monitor compliance.
Still under development
The directive was approved in December 2022, but implementation is still evolving. Member states must not only legislate, but also develop enforcement mechanisms. As with the AVG, each sector will have to find practical ways to comply.
The legal framework of NIS2
NIS2 focuses on organizations with a social function and distinguishes between:
- Essential organizations - Large companies (≥ 250 employees or turnover >€50 million).
- Major organizations - Medium-sized companies (≥ 50 employees or turnover >€10 million).
- Chain partners - Suppliers to essential or key organizations.
- Strategic small businesses - For example, administrators of toplevel domains or telecom services.
- Designated exceptions - Organizations required by the government to comply with NIS2.
Monitoring and enforcement
NIS2 is required by law and control varies by category:
- Essential organizations: Proactive compliance checks at all times.
- Key organizations: Monitoring after an incident or concrete cause.
Chain partners
Even companies without a direct NIS2 label may need to comply if they are part of a critical supply chain. This prevents cyber attacks through weak links.
Fines and liability
- Essential organizations: Fines of up to €10 million or 2% of global turnover.
- Major organizations: Fines up to €7 million or 1.4% of turnover.
- Directors' liability: Executives are personally responsible for compliance.
Core principles of NIS2
NIS2 imposes obligations on organizations within two main pillars:
1. Duty of Care
Organizations must take appropriate measures to ensure digital security and continuity. NIS2 does not prescribe specific technologies, but emphasizes that measures must be technically, operationally and organizationally proportionate. Key areas of focus are:
- Risk Analysis: Regular evaluation of security risks, including pen testing.
- Effectiveness of measures: Ongoing monitoring of whether security measures are adequate.
- Chain Security: Coordinate with vendors on data security and communication.
- Cyber hygiene and security awareness: Mandatory training to make employees aware of cyber risks.
- Encryption: Sensitive data and communications must be encrypted.
- Physical security: Access control for employees, visitors and systems.
- Multifactor authentication (MFA): Mandatory where relevant.
- Information systems security: Solutions such as identity management, endpoint security and cloud security.
- Vulnerability management: Proactively address vulnerabilities with an update and patch policy.
- Incident response: A clear plan with responsibilities in the event of cyber incidents.
- Continuity management: rapid resumption of services after an attack with backups and contingencies.
NIS2 requires organizations not only to have their own security in order, but also to structurally address risks in their supply chain and internal processes.
2. Duty to report
NIS2 introduces a notification requirement for digital disruptions. Organizations must report incidents to the appropriate authority, similar to the reporting requirement under the AVG.
Reporting requirements:
- Incidents involving service disruption must be reported within 24 hours.
- Other incidents must be reported within 72 hours.
- A final report must be submitted one month after the incident, detailing the investigation results, impact and actions taken.
- The notification must be submitted to the relevant authority (currently the NCSC).
Implementation of NIS2
Complying with NIS2 requires a thoughtful approach. Cybersecurity is not only a legal obligation but also essential for business continuity and societal stability.
Step 1: Perform risk analysis
- Identify and evaluate information security risks.
- Prioritize risks based on impact and likelihood.
Step 2: Implementing security measures
- Choose measures based on risk analysis and NIS2 guideline.
- Ensure technical and organizational security of data and systems.
Step 3: Develop incident response plans
- Define roles and responsibilities in security incidents.
- Establish procedures for detection, notification and recovery after incidents.
- Train employees in incident management.
Step 4: Monitoring and evaluation
- Set up a monitoring program to detect anomalies and incidents.
- Evaluate and improve security measures based on emerging threats.
- Ensure compliance with NIS2 reporting requirements.
Use of existing frameworks and certifications
ICT service providers for essential or key organizations may be required to obtain EU-recognized certification.
- CIS Controls offers a list of 120 cybersecurity best practices.
- ISO 27001 and NEN 7510 are valuable certifications, but do not automatically guarantee NIS2 compliance.
By getting started early, organizations can structurally comply with the NIS2 directive and strengthen digital resilience.
Summary NIS2
NIS2 is the updated EU cybersecurity directive designed to strengthen digital resilience in Europe.
- Replaces the NIS Directive and provides the basis for national legislation.
- Applicable to:
- Essential and important organizations.
- Chain partners and specific small businesses.
- Organizations in Internet infrastructure and government agencies.
- Obligations:
- Implementation of security measures.
- Reporting of cyber incidents within 24 hours (in cases of disruption) or 72 hours (in other cases).
- Enforcement and sanctions:
- Proactive controls for essential organizations.
- Checks for reason for key organizations.
- Fines for noncompliance, with directors jointly and severally liable.
- NIS2 guideline has 2 pillars:
- Duty of care: Appropriate technical, operational and organizational measures.
- Reporting requirement: Timely reporting of cyber incidents.
- Tools for compliance:
- CIS Controls (best practices).
- Certifications such as ISO 27001 and NEN 7510 help, but do not guarantee automatic compliance.
Conclusion
Strong cybersecurity has never been optional, and NIS2 confirms that. But compliance alone should not be the driver.
The real reason for robust security:
- Organization protection: Preventing service interruptions, data theft and reputational damage.
- Social impact: Limiting economic damage and outages of critical facilities.
Security is not a checklist, but an ongoing process. NIS2 is just one step in a broader regulatory framework. Digital resilience is and will remain essential - not only for NIS2, but also for the future of cybersecurity.
