Are you ready for NIS2?

Daphne Frik

10 May 2024

Although the Dutch legislation for NIS2 is running behind, the Dutch business sector should start getting their things in order, especially if they are dependent on international customers and suppliers.

If companies don’t act now, they run the risk of losing international clients, Samen Digitaal Veilig warns, a platform founded by MKB-Nederland and VNO-NCW to help companies get their digital security in order.

The NIS2 regulation will become applicable on October 17 of this year in Europe. However, the Netherlands is currently not on track to meet this deadline – in contrast to our neighboring countries such as Germany and Belgium. This might lead to a loss of clients or contracts. For example, as purchasing contracts often contain clauses requiring legal compliance, international companies will not be allowed to continue working with Dutch suppliers if the organization doesn’t comply with NIS2 standards.


What’s NIS2 exactly? The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) follows and expands on the EU cybersecurity rules introduced in 2016. It expands the scope of the cybersecurity rules to new sectors and entities, with the aim of further improving companies’, authorities’, and the EU’s resilience and incident response capacities.

Requirements and measures in NIS2 include incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, effective use of cryptography, human resource security, and access control policies and asset management.

Key sectors include energy, transport, banking, financial markets infrastructure, healthcare, and digital infrastructure, but NIS2 also applies to important sectors such as postal and courier services, waste management, and the production and distribution of chemicals.

Member States will have to transpose NIS2 by October 17 of this year. While cybersecurity rules have been difficult to enforce in the past, NIS2 sets up a consistent framework for sanctions across the EU. It does so by establishing a minimum list of administrative sanctions for breaches of the cybersecurity risk management and reporting obligations. These sanctions include binding instructions as well as administrative fines.

The need for NIS2

Companies are often too optimistic in their risk assessments, and organizations do not recognize their weak spots until they have been attacked by cybercriminals, ABN Amro highlights in a report.

In the category of large companies, with a turnover of at least 25 million, 86 percent of organizations were attacked in 2023. In the SME segment, 71 percent of enterprises were confronted with cyberattacks. Among self-employed people, this was 55 percent. And yet, the latter two groups estimate the risks of cybercrime for themselves to be relatively low – they appear to only recognize the risks when an attack has led to damage.

Now the deadline for NIS2 is approaching, entrepreneurs, together with their customers and suppliers, must hurry to get their things in order, the report points out.

How to prepare

Although the Dutch law might not be ready in time for the deadline, that doesn’t mean you can’t start preparing. The Dutch government has published a Quickscan, which includes 40 questions on the cybersecurity of your organization that together will define its cyber resilience – and show where you can improve. If you’re unsure whether NIS2 applies to your organization, a self-evaluation has also been published.
In addition, you can start preparing for NIS2 by: