Frequently asked questions – NIS2 directive cybersecurity
Want to know more?
Here you will find frequently asked questions about NIS2, grouped by topic. Want to know more? Contact us by email (cybersecurity@kiwa.com) or call us directly (+31 (0)88 998 49 00).
What is NIS2?
NIS2 is the second version of the European Network and Information Security directive, with the original directive dating from 2016. NIS2 requires organizations in essential and important sectors to strengthen their cybersecurity and digital resilience, with stricter requirements and stronger enforcement than the original directive.
Is NIS2 the same as the Dutch Cybersecurity Act?
NIS2 is a European directive, while the Cybersecurity Act (Cyberbeveiligingswet, Cbw) is the Dutch law that transposes this directive into national legislation. The Cbw is therefore the Dutch implementation of NIS2, with specific obligations for organizations in the Netherlands.
Why was NIS2 introduced?
The EU concluded that the first NIS directive resulted in uneven levels of cyber resilience across member states and sectors. Due to increasing threats, stronger and more uniform rules were required.
Who does NIS2 apply to?
NIS2 applies to essential and important entities, including energy, transport, healthcare, drinking water, digital infrastructure, postal services, waste management, food production and digital service providers. Suppliers within the supply chain are also subject to stricter requirements.
How do I determine whether my organization falls under NIS2?
Member states provide scope tests and sector overviews. In the Netherlands, the NCSC publishes sector information and a referral decision tree.
What are the benefits of NIS2 compliance?
By complying with NIS2, you demonstrate that your organization has structurally implemented cybersecurity in line with recognized European standards. Discover the key benefits of NIS2 compliance for your organization on our website.
What is an NIS2 organization required to do?
- Implement risk management measures
- Report incidents within strict deadlines
- Establish and maintain security policies
- Set up business continuity and crisis management
- Allow supervision and audits
- Comply with registration obligations
What are the reporting obligations?
- Early warning within 24 hours
- Incident notification within 72 hours
- Final report within one month
What security measures does NIS2 require?
NIS2 requires, among other things, risk assessments, incident detection, backups, access control, supply chain security, encryption and training.
What about suppliers and supply chain partners?
Organizations must actively manage supply chain risks. Suppliers may need to demonstrate that they meet minimum cybersecurity standards.
Is there a mandatory NIS2 certification or label?
The NIS2 directive, and soon the Dutch Cybersecurity Act (Cyberbeveiligingswet, Cbw), does not prescribe any official certification, certificate or label that organizations must obtain.
When do I need to comply?
The NIS2 directive was adopted at the end of 2022. Member states are currently implementing it in national legislation. Organizations must be prepared in time. The main deadline for NIS2 in the Netherlands has been postponed. The Netherlands did not meet the original EU deadline of 17 October 2024. It is expected that NIS2, through the Cybersecurity Act (Cyberbeveiligingswet, Cbw), will enter into force in the Netherlands at the end of Q2 2026.
What can you already do to prepare for NIS2/Cyberbeveiligingswet, Cbw)?
- Determine whether your organization falls under NIS2
- Perform a gap analysis
- Map risks and processes
- Establish baseline security measures
- Prepare incident response
- Assess suppliers
- Train management
- Increase awareness
- Set up documentation
I am ISO 27001 or NEN 7510 certified. Does that mean I comply with NIS2?
ISO 27001 and or NEN 7510 certification helps significantly, but organizations do not automatically comply with NIS2. The diagram below shows which aspects are covered by ISO 27001 or NEN 7510 and which by NIS2.
Who within an organization is best suited to assess NIS2 requirements?
Typically, this is the CISO or information security manager. This person has:
- Insight into risks, processes and security measures
- Knowledge of ISO 27001 and or NEN 7510, which have significant overlap with NIS2
- Experience with performing gap analyses
- Knowledge of both technical and organizational measures
Can you be fined for non-compliance?
Yes. Once the Dutch Cybersecurity Act (Cyberbeveiligingswet, Cbw) enters into force, expected in 2026, supervisory authorities can:
- Impose fines
- Issue binding instructions
- Enforce audits
- Hold directors personally liable
The fines are comparable to GDPR, but in some cases even stricter.
What are the fines under the Cybersecurity Act (Cyberbeveiligingswet, Cbw)?
For essential entities, for example energy, healthcare, telecom and water:
- Up to €10 million, or
- 2% of global annual turnover, whichever is higher
For important entities, for example IT service providers, postal services, waste, food and digital services:
- Up to €7 million, or
- 4% of global annual turnover
Can directors be held personally liable?
Yes, this is one of the most significant changes in the new legislation. Directors can:
- Be held personally responsible for negligence
- Be required to follow cybersecurity training
- Be temporarily suspended in extreme cases
ISO standards do not include these types of legal obligations, NIS2 does.
Do you need to be fully compliant on the first day NIS2 takes effect?
Legally, yes. The Cybersecurity Act (Cyberbeveiligingswet, Cbw) does not include a transition period. This means that organizations are required to comply with all requirements from the date of entry into force.
