NIS2: what every organisation needs to know right now

What is NIS2?

At its core, NIS2 is the updated cybersecurity framework for the European Union. It is designed to strengthen the digital defenses of organizations that provide essential services to our society. This directive replaces the older 2016 version and introduces a much higher "bar" for security.

For the Netherlands, it is important to note that NIS2 will be formalized as the Cyberbeveilighingswet (Cbw). Although the general EU deadline has passed, the Dutch mandate is now officially set for July 1, 2026. 

Not sure how your current security aligns with the new requirements? Schedule a NIS2 Gap Analysis to identify the 5 steps you need to take before July 2026.

Where does it apply?

NIS2 distinguishes between essential entities and important entities. In general terms: medium-sized and large organisations (50+ employees or more than €10 million in annual turnover) in the sectors below need to be compliant.

Unsure whether your organisation needs to be compliant under NIS2? Contact your national cybersecurity authority or request a Safesecur Group baseline assessment via our contact form to find out exactly where you stand. 

The four pillars of NIS2

The directive is build on four key obligations that every organisations must fulfill.

What does management accountability mean in practice?

This is one of the most significant changes compared to the previous directive. Senior management must demonstrate involvement in the organisation's cybersecurity governance. In specific terms, this means:

• Cybersecurity is a boardroom priority. Ensure your leadership team has the required knowledge with our 4 hour Executive NIS2 Session.
• Formal approval and endorsement of the security policy.
• Active follow-up on risk reports and audit findings.

Regulators expect the leadership team to understand the risks and actively driving mitigation efforts. 

Penalties. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. Regulators can also impose temporary management bans.

Where to start: a practical approach

1. Determine your status
2. Verify whether your organisation qualifies as essential or important under NIS2. Your sector, size, and any cross-border activities all play a role in this assessment. 
3. 
   
4. Conduct a baseline assessment
5. Measure your current information security posture against NIS2 requirements. This immediately surfaces gaps and helps you prioritize what needs to be addressed first. 
6. 
   
7. Build a risk register
8. Identify your critical systems, processes and dependencies. Map targeted security measures to each identified risk. 
9. 
   
10. Set up incident reporting processes 
11. Establish an internal escalation path that enables you to report an incident within 24 hours, including the right contracts, templates and communication flows. 
12. 
    
13. Engage your supply chain
14. Map your critical suppliers and set minimum cybersecurity requirements for them, formalized in contracts and vendor assessments. 
15. 
    
16. Implement a managementsystem 
17. An ISMS (Information Security Management System), ideally aligned with ISO 27001, provides the structure needed to maintain and demonstrate

Don’t wait until the July 2026 deadline. Start your transition to NIS2 compliance today with our expert-led assessments and training. Get in touch with our specialists.