NIS2 directive

Compliance7 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The NIS2 directive (Network and Information Security Directive 2) is a landmark European law that puts cybersecurity on the agenda of executives. For Dutch organisations, this means concrete obligations and significant consequences in the event of non-compliance.

NIS2 replaces the original NIS directive from 2016 and introduces far stricter requirements. The directive defines two categories of entities: essential services (energy, water, health, transport) and important entities (ICT, digital service providers, the financial sector). Both groups must comply with substantial cybersecurity measures.

One of the most changed aspects is top-level governance. NIS2 requires that management boards are responsible for cybersecurity strategy and incident response. This brings risks and liabilities to the executive level, which many organisations take seriously.

The directive also sets considerably higher requirements for incident reporting. Organisations must report cyber incidents with "serious consequences" to the competent authorities. In the Netherlands, this is the NCSC. The reporting structure is tiered: an early warning within 24 hours, followed by a full incident report within 72 hours and a final report within one month.

Technical controls have also been expanded. NIS2 calls for encryption, multi-factor authentication, network segmentation, incident response planning, and continuous monitoring of cybersecurity threats. Organisations must have a structured approach to risk management, not merely ad-hoc measures.

Implementation in the Netherlands takes place through the revised Network and Information Systems Security Act (Wbni). For many organisations, this is a considerable effort that requires more than just IT. Change management, training and cultural change are just as important as technical measures.

We understand the complexity of NIS2 compliance. Our team helps organisations assess their current cybersecurity posture and develop a realistic implementation plan. Let us make your organisation NIS2-ready together. Get in touch.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us