← Back to Blog
NIS2complianceregulations

NIS2 Directive: What Dutch Businesses Need to Know

Fanel Besleaga·

A New Era of Cybersecurity Regulation

The NIS2 Directive represents the most significant overhaul of European cybersecurity legislation in nearly a decade. For Dutch businesses, this translates into the Cyberbeveiligingswet — a national law that will bring approximately 8,000 organizations under mandatory cybersecurity requirements for the first time.

If your business operates in a covered sector, understanding these requirements is not optional. The penalties for non-compliance are severe, and enforcement is expected to begin in Q2 2026.

Who Is Affected?

NIS2 dramatically expands the scope of organizations covered compared to the original NIS directive. The law applies to two categories:

Essential Entities — Large organizations (250+ employees or €50M+ turnover) in critical sectors including energy, transport, banking, healthcare, and digital infrastructure.

Important Entities — Medium organizations (50+ employees or €10M+ turnover) in sectors such as manufacturing, food production, waste management, postal services, and digital providers.

Even smaller organizations may fall under the directive if they are identified as critical by national authorities or operate in specific high-risk subsectors.

Key Requirements Under Article 21

The directive mandates a comprehensive set of cybersecurity measures. Article 21 outlines the minimum requirements that all covered entities must implement:

  1. Risk analysis and information system security policies — documented, regularly updated risk assessments
  2. Incident handling — established procedures for detecting, reporting, and responding to security incidents
  3. Business continuity — backup management, disaster recovery, and crisis management planning
  4. Supply chain security — assessment and management of cybersecurity risks from suppliers and service providers
  5. Security in network and information systems — including vulnerability handling and disclosure
  6. Cybersecurity risk management effectiveness assessment — regular testing and auditing of measures
  7. Basic cyber hygiene and training — organization-wide cybersecurity awareness programs
  8. Cryptography and encryption — policies and procedures for the use of encryption
  9. Human resources security — access control policies and asset management
  10. Multi-factor authentication — use of MFA and secure communication systems

Incident Reporting: The 24-Hour Rule

One of the most impactful requirements is the mandatory incident reporting timeline:

  • Within 24 hours: An early warning must be sent to the national CSIRT (for the Netherlands, this is the NCSC)
  • Within 72 hours: A full incident notification with initial assessment
  • Within one month: A final report with detailed analysis and remediation measures

Failure to report within these windows carries its own penalties, separate from any breach-related fines.

Penalties That Demand Attention

NIS2 introduces significant financial penalties modeled after GDPR:

  • Essential entities: Fines up to €10 million or 2% of global annual turnover, whichever is higher
  • Important entities: Fines up to €7 million or 1.4% of global annual turnover, whichever is higher

Beyond financial penalties, the directive introduces personal accountability for management. Board members and senior executives can be held personally liable for non-compliance, and authorities can temporarily suspend management from their duties.

Board-Level Accountability

NIS2 makes cybersecurity a board-level responsibility. Management bodies must:

  • Approve cybersecurity risk management measures
  • Oversee their implementation
  • Undergo cybersecurity training
  • Be held accountable for non-compliance

This is a significant shift from treating cybersecurity as a purely technical matter delegated to IT departments.

How to Prepare

With enforcement approaching, Dutch businesses should take these steps now:

  1. Determine if you are in scope — Review the covered sectors and size thresholds to understand your classification
  2. Conduct a gap assessment — Compare your current security posture against Article 21 requirements
  3. Implement missing controls — Prioritize the highest-risk gaps, starting with incident response and risk management
  4. Establish incident reporting procedures — Ensure you can meet the 24-hour notification requirement
  5. Document everything — Compliance evidence and audit trails are essential
  6. Engage your supply chain — Assess and manage third-party cybersecurity risks
  7. Train your board — Ensure management understands their obligations and liability

Getting Compliant Without Building an Army

For many Dutch SMBs, meeting NIS2 requirements in-house would require significant investment in staff, tools, and processes. Managed security services offer a practical alternative — providing the monitoring, detection, incident response, and compliance evidence that the directive demands, at a fraction of the cost of building these capabilities internally.

The key is to start now. Organizations that wait until enforcement begins will face a scramble that is both more expensive and more disruptive than proactive preparation.