NIS2 is coming: is your organization prepared?

NIS2 is the new European directive intended to strengthen the digital resilience of critical sectors such as healthcare and government.

With stricter rules, higher fines and more responsibility for drivers, the impact is significant. For companies and the entire supply chain.

But what exactly does NIS2 entail? To whom does the law apply? And how do you avoid sanctions? In this blog we answer frequently asked questions about this European directive.

1: What is NIS2?

NIS2 stands for Network and Information Security Directive 2. It is the successor to the previous NIS directive from 2016. The standard is a European directive that obliges organizations to improve their cyber security and digital resilience. For example, think of reporting incidents, performing risk analyses and securing network and information systems.

2: Why is NIS2 needed?

NIS2 was set up to reduce the risk of cyber attacks. Cyber attacks are becoming increasingly sophisticated, large-scale and damaging. A successful hack does not only impact one organization. It can also have major consequences for our entire society.

Security of vital sectors improved through collaboration

The EU wants to improve the security of vital sectors with this uniform legislation. In the event of incidents, countries can work together more quickly. Organisations are also encouraged to better organise their digital base. In addition, NIS2 forces us to think about where vulnerabilities lie within a company and in the supply chain.

3: Which sectors does NIS2 apply to?

The European directive applies to the protection of vital and important sectors. For example:

Vital sectors:

• Energy
• Drinking water supply
• Digital infrastructure
• Healthcare institutions
• Transport
• Government services

Key sectors:

• Food production
• Chemical industry
• Postal and courier services
• Waste management
• Digital service providers
• Industry and mechanical engineering

Does this apply to every company in this sector, even the ZZP'ers? No. Only organisations in these sectors with more than 50 employees or more than €10 million turnover fall under NIS2.

4: How do you become NIS2 compliant?

To be NIS2 compliant, your organization must meet the following important obligations, among others. Examples of compliance are:

1. Implement risk management (e.g. based on ISO 27001)
2. Take security measures such as updates, access control and encryption
3. Report cyber incidents to authorities within 24 hours
4. Apply continuity management
5. Securing suppliers and supply chain
6. Recording administrative responsibility, for example with a SISO (Security Information Officer)

5: What happens if you do not meet the NIS2 obligations?

Failure to comply with NIS2 obligations can lead to severe sanctions. Supervisors such as the National Inspectorate for Digital Infrastructure or the CCB (in Belgium) can impose fines of up to €10 million or 2% of the worldwide turnover. Audits or mandatory improvement measures can also be imposed. And in some cases, the fines can even be recovered from the board.

Reputational damage and operational risks

In addition to financial penalties, non-compliance often leads to reputational damage. Customers and partners expect their data to be safe. But also think of loss of production, data leaks or stopped processes.

6: What are the differences with NIS1, ISO standards and CRA?

NIS2 differs from the original NIS guideline (NIS1) in several ways. For example, more organizations are now covered by the new NIS2 guideline and the governance responsibility is increased. Compared to ISO standards, such as ISO 27001, and with the upcoming Cyber Resilience Act (CRA), NIS2 is more legally binding.

The table below shows the most important differences between the standards.

Feature	NIS1	NIS2	ISO standards (including ISO 27001)	Cyber Resilience Act (CRA)
Legal status	European directive (2016)	European directive (2023, national implementation in 2024/2025 )	Voluntary standard	Binding European Regulation
Scope of application	Essential service providers (limited sectors)	Essential and important organizations in more sectors	Any organization that wants to become certified	Manufacturers of digital products
Governance Responsibility	Barely mentioned	Mandatory at management level	Focuses on process level	Focuses on product level
Mandatory measures	General security measures	Extensive obligations regarding risk management, monitoring, recovery	Recommendations and requirements for information security	Obligations for secure product development and updates
Sanctions	Limited	High: audits, supervision, fines	No legal sanctions (only for contractual requirements)	High: CE marking mandatory, enforcement via market surveillance
Focus	Services and networks	Digital resilience of organizations in a broad sense	Information security	Product safety and cyber security in the chain
Obliged?	Yes	Yes	No	Yes

7: From when is NIS2 mandatory in the Netherlands and Belgium?

Since January 2023, NIS has officially entered into force in the EU. Each European member state had to transpose NIS2 into their own national legislation by October 2024. In the Netherlands, this is done with the new Cybersecurity Act (Cbw). However, the deadline for this has not been met. The NCTV At the time of writing, the Cbw and the Critical Entities Resilience Act are expected to come into effect in the third quarter of 2025.

In Belgium, they are already further along. Since October 18, 2024, the NIS2 law has been part of Belgian legislation. The Belgian Cybersecurity Center (CCB) is responsible as a supervisor for NIS2 enforcement in Belgium.

8: How do you prepare your organization well for NIS2?

A good preparation for NIS2 starts with insight. Map out whether your organization falls under the directive and analyze where the greatest risks lie. Then it is important to put processes, IT security and internal responsibilities in order. And make them demonstrable.

It NIS2 Quality Mark helps organizations demonstrate that they are taking the right steps toward compliance. There are 3 levels of certification:

• QM10 (basic)
• QM20 (substantial)
• QM30 (high)

Start preparing now

NIS2 is more than a legal obligation. It is also an opportunity to make your organization digitally stronger, more reliable and future-proof. And that is not an unnecessary luxury in our digital society with vulnerable OT environments. Now is the time to start preparing.

Do you have any questions about NIS2 in relation to our products and services? Or would you like more information about our process to be NIS2 compliant? Contact us Contact with us!