NIS2 compliance in 2026: what do you need to do now, concretely?

Compliance8 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The European NIS2 directive has been in force since October 2024. The Netherlands is working on the implementation act, the Cybersecurity Act (Cyberbeveiligingswet, Cbw), which translates NIS2 into Dutch legislation. For many organisations, NIS2 still feels like something for the future, but the reality is that the requirements already apply and that regulators are actively preparing for enforcement.

The core of the question we receive daily: what do we need to do, concretely? This article provides the answer.

Do you fall under NIS2?

The first step is to determine whether your organisation falls within the scope of NIS2. The directive distinguishes between essential and important entities. Essential entities are organisations in sectors such as energy, transport, banking, healthcare, drinking water and digital infrastructure. Important entities include sectors such as postal and courier services, waste management, the chemical industry, food production, manufacturing and digital providers.

The threshold is lower than many organisations expect. Medium-sized companies with more than 50 employees or more than 10 million euros in turnover in one of these sectors already fall under it. In addition, suppliers of essential entities can be indirectly affected by the supply chain responsibility that NIS2 prescribes.

The ten measures

NIS2 prescribes ten categories of security measures. These are not suggestions but legal requirements. They cover risk analysis and information security policy, incident handling, business continuity and crisis management, supply chain security, security in the acquisition, development and maintenance of network and information systems, policies and procedures to assess the effectiveness of measures, basic cyber hygiene practices and cybersecurity training, policies and procedures for the use of cryptography, personnel security and access control policy, and the use of multi-factor authentication and secure communication.

The practical translation

What it comes down to in practice is that organisations must arrange a number of concrete things. First, an up-to-date risk analysis that covers information security and that is periodically reviewed. This is the foundation on which all other measures rest.

Second, an incident response plan that describes how security incidents are detected, handled and reported. NIS2 requires notification of significant incidents to the competent authority within 24 hours (early warning) and a full incident report within 72 hours.

Third, supply chain security. Organisations must map and manage the security risks of their suppliers and service providers. This means contractual arrangements, periodic assessments and maintaining a supplier register with risk classification.

Fourth, technical measures that match the identified risks. Consider network segmentation, logging and monitoring, patch management, multi-factor authentication and encryption of data in transit and at rest.

Fifth, governance. The board must be demonstrably involved in cybersecurity. NIS2 explicitly places responsibility with management, including the possibility of personal liability in the event of negligence.

What the auditor checks

As IT auditors, we see that the requirements of NIS2 largely overlap with existing frameworks such as ISO 27001 and the BIO. Organisations that are already certified or that work according to these frameworks have a head start. But there are specific NIS2 requirements that go further, particularly the notification obligation, the supply chain responsibility and the board liability.

In a NIS2 assessment, we assess whether the organisation has correctly determined the scope, whether the required measures have been implemented and whether there is demonstrable evidence of compliance. Demonstrability is the key word. It is not enough to have a policy; you must be able to show that the policy is followed, that employees are trained, that incidents are handled according to procedure, and that management is involved.

Fines and enforcement

The sanctions under NIS2 are substantial. Essential entities risk fines of up to 10 million euros or 2% of global annual turnover. Important entities up to 7 million euros or 1.4% of turnover. Regulators are given powers to impose audits, prescribe measures and, in the event of repeated violations, temporarily suspend directors.

Start today

The organisations that are best prepared are not the ones waiting for the final legal text. They are the organisations that are now updating their risk analysis, testing their incident response, assessing their suppliers and involving their board. NIS2 is not a checkbox exercise but a structural increase in the cybersecurity maturity level.

Secure Audit helps organisations determine their NIS2 scope, carry out gap analyses and implement the required measures. Get in touch for a NIS2 readiness assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us