Skip to Content

NIS2: what every organisation needs to know right now

The NIS2 Directive is now in force and regulators are actively enforcing it. Yet many organisations still struggle with a fundamental question: what does this actually mean for us? Our aim with this article is to cut through the complexity.
13 April 2026 by
NIS2: what every organisation needs to know right now
sophievanderzandt@safesecur.nl
| No comments yet

What is NIS2?

NIS2 (Network and Informations Security Directive 2) is the European Union's updated cybersecurity regulation. It replaces the original NIS Directive from 2016 and has been transposed into national legislation across all EU member states. The objective is straightforward: strengthen the digital resilience of organisations in critical sectors and reduce the impact of cyber incidents.

Where the original directive was relatively in scope, NIS2 raises the bar significantly. Both in the number of sectors covered and in the requirements placed on management and security measures.


Where does it apply to?

NIS2 distinguishes between essential entities and important entities. In general terms: medium-sized and large organisations (50+ employees or more than €10 million in annual turnover) in the sectors below fall under the directive.

Unsure whether your organisations falls under NIS2? Contact your national cybersecurity authority or request a baseline assessment to find out exactly where you stand. 


The four pillars of NIS2

The directive is build on four concrete obligations that every covered organisations must fulfill.


Technical and organizational measures to manage cyber risks, including access controls, encryption, backup policies, and incident response capabilities.

Significant incidents must be reported to the competent authority within 24 hours as an early warning, followed by a full incident report within 72 hours. 

Organisations are also responsible for the cybersecurity practices of their suppliers and service providers.   

Board members bear ultimate responsibility and can be held personally liable in cases of demonstrable negligence.  

 Core obligations


What does management accountability mean in practice?

This is one of the most significant changes compared to the previous directive. Senior management must be demonstrably involved in the organisation's cybersecurity governance. In concrete terms, this means:

  • Regular cybersecurity training for executives and board members. 
  • Formal approval and endorsement of the security policy.
  • Active follow-up on risk reports and audit findings.

Claiming ignorance is not a valid defence, regulators expect management to understand the risks and actively drive mitigation efforts. 

Penalties. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. Regulators can also impose temporary management bans.


Where to start: a practical approach

  1. Determine your status
  2. Verify whether your organisation qualifies as essential or important under NIS2. Your sector, size, and any cross-border activities all play a role in this assessment. 

  4. Conduct a baseline assessment
  5. Measure your current information security posture against NIS2 requirements. This immediately surfaces gaps and helps you prioritize what needs to be addressed first. 

  7. Build a risk register
  8. Identify your critical systems, processes and dependencies. Map targeted security measures to each identified risk. 

  10. Set up incident reporting processes 
  11. Establish an internal escalation path that enables you to report an incident within 24 hours, including the right contracts, templates and communication flows. 

  13. Engage your supply chain
  14. Map your critical suppliers and set minimum cybersecurity requirements for them, formalized in contracts and vendor assessments. 

  16. Implement a managementsystem 
  17. An ISMS (Information Security Management System), ideally aligned with ISO 27001, provides the structure needed to maintain and demonstrate


NIS2 as a strategic opportunity

Many organisations experience NIS2 as a burden, and that's understandable given the scale of what's required. But there's another way to look at it. Compliance forces organisations to take their security posture seriously, eliminate blind spots, and build trust with customers, partners and investors. 

Organisations that invest in a solid security foundation now will reap the benefits well beyond regulatory requirements. Cyber threats are growing in sophistication, and the cost of a serious incident far outweighs the cost of prevention. 

NIS2 is not just a compliance checkbox, it is an opportunity to future-proof your organisation. 

Do you know where your organisation stands? 

Safesecur Group supports you with baseline assessments, implementation guidance, and a practical management system that makes NIS2 compliance achievable. 

Contact us for more information



Share this post
Tags
Security
Our blogs
Archive
Sign in to leave a comment
ISO 14001:2026 transition
The standard for environmental management is being revised this year. What is changing, why does it make sense, and how can you ensure your organization makes a smooth transition?