Compliance Guide

NIS2 Compliance for Dutch Businesses

Everything you need to know about the Cyberbeveiligingswet — requirements, penalties, timelines, and how to prepare before enforcement begins.

Get a Free NIS2 Readiness Assessment

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is the European Union's updated framework for cybersecurity regulation across member states. It replaces the original NIS Directive from 2016 and significantly expands both the scope of organizations covered and the depth of requirements imposed.

In the Netherlands, NIS2 is being transposed into national law as the Cyberbeveiligingswet (Cybersecurity Act). Enforcement is expected to begin in Q2 2026, and organizations that fall within its scope must be prepared to demonstrate compliance from that date forward.

NIS2 represents a fundamental shift in how the EU approaches cybersecurity: from voluntary best practices to mandatory, enforceable requirements with significant penalties for non-compliance.

Who Is Affected?

NIS2 dramatically expands the number of organizations that must comply with cybersecurity regulations. In the Netherlands alone, an estimated 8,000 organizations will fall under the directive — compared to just a few hundred under the original NIS.

The directive applies to organizations based on two criteria: sector and size.

Essential Entities

Large organizations operating in critical sectors are classified as "Essential Entities" and face the strictest requirements and highest penalties. The size threshold is:

  • 250 or more employees, OR
  • Annual turnover exceeding €50 million, OR
  • Annual balance sheet total exceeding €43 million

Important Entities

Medium-sized organizations in covered sectors are classified as "Important Entities." While requirements are the same, penalties are somewhat lower. The size threshold is:

  • 50 or more employees, OR
  • Annual turnover exceeding €10 million, OR
  • Annual balance sheet total exceeding €10 million

Exceptions and Special Cases

Some organizations may be classified regardless of size if they are identified by national authorities as critical operators, or if they are the sole provider of a service essential to society. Certain subsectors — such as DNS providers, TLD registries, and qualified trust service providers — are automatically in scope regardless of size.

Covered Sectors

NIS2 covers a broad range of sectors, divided into two groups:

Sectors of High Criticality (Annex I)

  • Energy: electricity, oil, gas, hydrogen, district heating
  • Transport: air, rail, water, road
  • Banking and financial market infrastructures
  • Healthcare: hospitals, laboratories, medical device manufacturers, pharmaceutical companies
  • Drinking water supply and distribution
  • Wastewater management
  • Digital infrastructure: internet exchange points, DNS, TLD registries, cloud computing, data centers, CDNs, trust services, electronic communications
  • ICT service management (B2B): managed service providers, managed security service providers
  • Public administration (central and regional government)
  • Space: ground-based infrastructure operators

Other Critical Sectors (Annex II)

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, production, and distribution
  • Food production, processing, and distribution
  • Manufacturing: medical devices, computers, electronics, machinery, motor vehicles, other transport equipment
  • Digital providers: online marketplaces, search engines, social networking platforms
  • Research organizations

Article 21 Requirements

Article 21 of the NIS2 Directive defines the cybersecurity risk management measures that all covered entities must implement. These requirements are designed to be proportionate to the organization's risk exposure and are enforceable from the date of national transposition.

1. Risk Analysis and Security Policies

Organizations must establish and maintain comprehensive risk analysis and information system security policies. This includes:

  • Regular risk assessments covering all critical systems and data
  • Documented security policies approved by management
  • Periodic review and update of policies based on changing threats

2. Incident Handling

A structured approach to security incident management is mandatory:

  • Incident detection and monitoring capabilities
  • Defined incident response procedures and escalation paths
  • Post-incident analysis and lessons learned processes
  • Compliance with mandatory reporting timelines (see below)

3. Business Continuity and Crisis Management

Organizations must plan for operational resilience:

  • Backup management and disaster recovery procedures
  • Crisis management plans and communication protocols
  • Regular testing of continuity plans
  • Defined Recovery Time Objectives (RTOs) for critical systems

4. Supply Chain Security

NIS2 places significant emphasis on supply chain risk:

  • Assessment of cybersecurity risks from direct suppliers and service providers
  • Contractual security requirements for critical suppliers
  • Monitoring of supplier security posture
  • Incident notification requirements extending to the supply chain

5. Security in Systems Acquisition, Development, and Maintenance

Security must be embedded in the lifecycle of information systems:

  • Secure development practices
  • Vulnerability handling and disclosure policies
  • Patch management procedures
  • Security testing during development and before deployment

6. Effectiveness Assessment

Organizations must regularly evaluate whether their security measures are working:

  • Cybersecurity audits and assessments
  • Penetration testing
  • Security metrics and KPIs
  • Management review of security effectiveness

7. Cyber Hygiene and Training

Basic cybersecurity practices must be maintained across the organization:

  • Security awareness training for all employees
  • Phishing simulation and testing
  • Clear acceptable use policies
  • Regular updates to training based on current threats

8. Cryptography and Encryption

Appropriate use of cryptographic controls:

  • Encryption policies for data at rest and in transit
  • Key management procedures
  • Regular review of cryptographic standards

9. Human Resources and Access Control

People and access management:

  • Background checks for personnel in sensitive roles
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Access review and revocation procedures

10. Multi-Factor Authentication

Technical authentication requirements:

  • MFA for access to critical systems
  • Secure authentication mechanisms
  • Continuous authentication where appropriate
  • Secure emergency access procedures

Penalties

NIS2 introduces a penalty framework modeled after GDPR, with fines designed to be dissuasive:

For Essential Entities

  • Fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher
  • Temporary suspension of certifications or authorizations
  • Temporary prohibition of management functions for responsible individuals

For Important Entities

  • Fines up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher
  • Same administrative measures as essential entities, though enforcement is primarily reactive rather than proactive

Personal Liability

Unlike many previous cybersecurity regulations, NIS2 explicitly introduces board-level accountability. Senior management can be held personally responsible for compliance failures, and supervisory authorities can temporarily ban individuals from management positions.

Incident Reporting Requirements

NIS2 establishes strict timelines for reporting significant security incidents to the national CSIRT (in the Netherlands, the NCSC):

TimelineRequirement
24 hoursEarly warning: initial notification that a significant incident has occurred
72 hoursIncident notification: updated assessment including severity, impact, and indicators of compromise
1 monthFinal report: detailed analysis, root cause, remediation measures, and cross-border impact

A "significant incident" is defined as one that causes or is capable of causing severe operational disruption or financial loss, or that affects or is capable of affecting other organizations.

Failure to meet these reporting requirements carries penalties independent of the underlying incident.

Board-Level Accountability

NIS2 makes cybersecurity a governance issue, not just a technical one. Management bodies are required to:

  • Approve cybersecurity risk management measures adopted under Article 21
  • Oversee the implementation of those measures
  • Complete cybersecurity training to ensure they can make informed decisions
  • Accept liability for non-compliance with the directive

This means board members and C-level executives can no longer delegate cybersecurity entirely to technical teams. They must demonstrate active engagement with and understanding of their organization's security posture.

How Zybur Helps You Comply

Meeting NIS2 requirements does not have to mean building an internal security team from scratch. Zybur's managed security platform addresses the core requirements of Article 21:

Risk Analysis and Monitoring

Our 24/7 AI-powered monitoring continuously assesses your security posture. Weekly posture reports provide documented risk analysis that satisfies regulatory requirements.

Incident Handling

With 1,300+ detection rules and AI-powered triage, Zybur detects threats in under 30 minutes. Our automated incident reporting ensures you meet the 24-hour early warning requirement with detailed, audit-ready documentation.

Identity and Access Management

Our Identity Threat Detection and Response (ITDR) capabilities monitor for credential compromise, privilege escalation, and lateral movement — directly supporting the access control and MFA requirements.

Multi-Alert Correlation

Our AI correlation engine connects isolated events into attack narratives, providing the kind of comprehensive threat analysis that regulators expect from mature security operations.

Compliance Evidence

Every detection, investigation, and response action is documented automatically. This creates the compliance evidence and audit trail that NIS2 requires, without manual effort from your team.

Board-Level Reporting

Our reporting is designed to be board-ready. Executive summaries, trend analysis, and risk assessments give management the visibility they need to fulfill their oversight obligations under the directive.

Supply Chain Monitoring

Our Enterprise plan includes supply chain monitoring capabilities, helping you assess and manage the cybersecurity risks posed by your suppliers and service providers.

Timeline and Next Steps

The expected timeline for NIS2 enforcement in the Netherlands:

  • Original transposition deadline: October 17, 2024
  • Dutch legislation (Cyberbeveiligingswet): Expected enforcement Q2 2026
  • Compliance required: From the date of enforcement

Recommended Actions

  1. Determine your classification — Are you an Essential or Important entity?
  2. Conduct a gap assessment — Map your current security posture against Article 21 requirements
  3. Prioritize remediation — Focus on the highest-risk gaps first
  4. Implement monitoring — Ensure you have 24/7 detection and response capabilities
  5. Establish reporting procedures — Prepare for the 24-hour incident notification requirement
  6. Document everything — Build your compliance evidence trail
  7. Engage management — Ensure board-level awareness and training
  8. Review supply chain — Assess your suppliers' security posture

Do not wait for enforcement to begin. Organizations that prepare now will be ready; those that wait will face a costly and disruptive scramble.

Ready to get started? Contact Zybur for a free NIS2 readiness assessment and learn how our managed security platform can help you achieve and maintain compliance.