NIS2 and European Cybersecurity Legislation
NIS2: Governance Is Not Delegation
Boardroom calm does not come from optimism, but from clear accountability and demonstrable follow-through.
With NIS2 and European Cybersecurity Legislation the focus is on demonstrability: translating standards into ownership, planning and verification.
This way the subject stops being a recurring discussion and becomes a manageable part of regular business operations.
Immediate measures (15 minutes)
Why this matters
The core of NIS2 and European Cybersecurity Legislation is risk reduction in practice. Technical context supports the choice of measures, but implementation and embedding are central.
Why this concerns you
On 16 January 2023 the NIS2 directive entered into force – the most far-reaching European cybersecurity law ever. Where the first NIS directive of 2016 was primarily aimed at a handful of sectors, NIS2 casts the net so wide that thousands of organisations in the Netherlands are directly affected. And the striking part: board members are personally liable if they fail to meet their obligations.
This is not abstract Brussels bureaucracy. This is legislation with teeth – substantial fines, director liability and regulators that are actively going to enforce. If you sit on a board or management team, you need to know what is coming your way.
Key message: NIS2 makes cybersecurity a board issue. No longer something you can delegate to IT and then forget. You are personally responsible.
What is NIS2 and why does it exist?
NIS stands for Network and Information Security. The first version (NIS1, 2016) was a good first step, but had significant shortcomings: too few sectors fell under it, enforcement varied enormously per EU member state, and the incident reporting obligation was vaguely defined.
NIS2 addresses those problems by:
- Substantially expanding the number of sectors
- Setting uniform rules for all EU member states
- Establishing clear reporting timelines
- Significantly tightening fines and liability
- Making supply chain security mandatory
NIS1 versus NIS2
| Aspect | NIS1 (2016) | NIS2 (2023) |
|---|---|---|
| Number of sectors | 7 | 18 |
| Type of organisations | Large only | Medium-sized and large |
| Fines | Not harmonised | Up to EUR 10 million or 2% of turnover |
| Director liability | Not explicit | Yes, personal |
| Incident reporting | Vague | Strict timelines (24/72 hours) |
| Supply chain | Not mandatory | Mandatory |
| Supervision | Reactive | Proactive and risk-based |
Does your organisation fall under it?
NIS2 distinguishes two categories: essential and important. The difference lies mainly in the intensity of supervision – but the obligations are largely the same.
Essential (strictest supervision)
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, heat |
| Transport | Aviation, rail, water, road |
| Banking | Credit institutions |
| Financial market infrastructure | Stock exchanges, central counterparties |
| Healthcare | Hospitals, laboratories, pharmaceutical companies |
| Drinking water | Water supply companies |
| Wastewater | Sewage operators |
| Digital infrastructure | DNS, TLD registries, data centres, CDNs |
| ICT services (B2B) | Managed service providers, managed security |
| Government | Central and regional governments |
| Space | Ground infrastructure operators |
Important (lighter supervision, same obligations)
| Sector | Examples |
|---|---|
| Postal and courier services | Parcel delivery companies, postal companies |
| Waste management | Collection and processing |
| Chemicals | Production and distribution |
| Food | Production, processing, distribution |
| Manufacturing | Medical devices, electronics, machinery, vehicles |
| Digital providers | Online marketplaces, search engines, social networks |
| Research | Research organisations |
The rule of thumb: organisations with more than 50 employees or more than 10 million euros in turnover in these sectors fall under NIS2. Some organisations – such as DNS providers and governments – fall under it regardless of their size.
In doubt? Assume that you fall under it. The consequences of incorrectly assuming it does not apply to you are many times greater than the effort of compliance.
The four core obligations
1. Risk management
You must take appropriate and proportionate technical and organisational measures to manage the risks to your network and information systems. That sounds abstract, but the directive is concrete:
- Risk analyses and security policies
- Incident handling (prevention, detection, response)
- Business continuity and crisis management
- Supply chain security – including security at your suppliers
- Security in the acquisition, development and maintenance of systems
- Policies and procedures to test the effectiveness of measures
- Basic cyber hygiene practices and awareness training
- Policy on the use of cryptography and encryption
- Personnel security and access management
- Multi-factor authentication and secure communications
Many of these measures – in particular logging, monitoring and detection – require a well-considered technical setup. For the technical background and practical approach we refer you to Logging, Monitoring & SIEM.
2. Incident reporting
NIS2 operates a tiered reporting regime:
| Timeline | What you must report |
|---|---|
| Within 24 hours | Early warning: a significant incident has occurred |
| Within 72 hours | Incident notification: initial assessment, severity, impact, indicators |
| Within 1 month | Final report: root cause, measures taken, cross-border impact |
A "significant incident" is an incident that causes serious operational disruption or financial loss, or that could significantly affect other organisations. How to prepare for this reporting obligation and set up a working incident response process is covered in chapter 7: Incident Response and Crisis Management.
3. Supply chain security
You are not only responsible for your own security, but also for that of your supply chain. That means:
- Assess the cybersecurity of your suppliers
- Include security requirements in contracts
- Monitor the security performance of critical suppliers
- Have a plan B if a supplier is compromised
4. Board responsibility
This is the point where it becomes personal. NIS2 requires that:
- Board members approve cybersecurity measures and oversee their implementation
- Board members complete cybersecurity training
- Board members can be held personally liable for negligence
Read that again: personally liable. Not the organisation. You. Cybersecurity is no longer an IT affair – it is a board responsibility.
Sanctions and enforcement
The fines are substantial:
| Category | Maximum fine |
|---|---|
| Essential | EUR 10,000,000 or 2% of global annual turnover (whichever is higher) |
| Important | EUR 7,000,000 or 1.4% of global annual turnover (whichever is higher) |
In addition, regulators can:
- Issue binding instructions
- Mandate security audits
- Temporarily suspend board members for repeated violations
- Order that incidents are made public
Timeline and status in the Netherlands
| Date | Event |
|---|---|
| 16 January 2023 | NIS2 directive entered into force |
| 17 October 2024 | Deadline for transposition into national legislation |
| 2025 | Cybersecurity Act (Cbw) – Dutch implementation expected |
| After entry into force | Organisations must register with the NCSC or sectoral CSIRT |
The Netherlands missed the transposition deadline – as did most EU member states. The Cybersecurity Act is in preparation. But do not wait for it: the directive is clear about what is expected, and regulators can enforce immediately after transposition.
What must you do NOW?
Do this this month
| Step | Action | Priority |
|---|---|---|
| 1 | Determine whether your organisation falls under NIS2 (essential or important) | High |
| 2 | Map your current cybersecurity measures | High |
| 3 | Conduct a gap analysis against the NIS2 requirements | High |
| 4 | Establish or update a cybersecurity policy | High |
| 5 | Implement incident response procedures with the correct reporting timelines | High |
| 6 | Map your supply chain and assess supplier risks | Medium |
| 7 | Arrange cybersecurity training for the board | High |
| 8 | Implement multi-factor authentication and encryption | Medium |
| 9 | Establish a business continuity plan | Medium |
| 10 | Prepare your registration with the NCSC or sectoral CSIRT | Medium |
| 11 | Document everything – demonstrability is crucial | Ongoing |
| 12 | Schedule regular security audits and penetration tests | Ongoing |
Other European legislation you need to know
DORA – Digital Operational Resilience Act
DORA targets specifically the financial sector and has been applicable since 17 January 2025. Where NIS2 is broad, DORA is deep: it places detailed requirements on ICT risk management, incident reporting, digital resilience testing and the management of third-party ICT service providers.
If your organisation operates in the financial sector, you must comply with both NIS2 and DORA – where DORA as a sector-specific law takes precedence over the general NIS2 provisions.
| Aspect | NIS2 | DORA |
|---|---|---|
| Scope | 18 sectors | Financial sector |
| Testing obligations | General | Threat-led penetration testing (TLPT) |
| Supplier management | General requirements | Detailed register and oversight |
| Applicable from | After national transposition | 17 January 2025 |
Cyber Resilience Act (CRA)
The CRA targets manufacturers and importers of products with digital elements – from smart thermostats to industrial software. It mandates security-by-design and gives consumers and businesses greater assurance that the products they buy are secure.
For board members this is relevant if you: - Develop or sell products with software or connectivity - Purchase such products – you will be able to demand better security guarantees
The CRA was adopted in 2024 and will be phased in, with the first obligations from September 2026.
The common thread
NIS2, DORA and the CRA are not standalone laws – together they form a European framework that treats cybersecurity for what it is: a matter of public interest. The era in which cybersecurity was something for the IT department is definitively over.
What you need to remember: Cybersecurity is a board responsibility. Not because the law says so – although it now does – but because your organisation, your clients and your employees rely on you to protect their data and systems. NIS2 simply makes that explicit.
In the next chapter on GDPR/privacy compliance we cover the other pillar of digital compliance. Because where NIS2 concerns the security of systems, the GDPR concerns the protection of personal data. And those two are inextricably linked.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Compliance — following rules without losing your mind
- Incident Response — when things go wrong
- Supply chain attacks — the weakest link problem
- "Are we a target?"
- Ransomware — digital hostage-taking for beginners and experts
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
