The digital world is changing at lightning speed. Cyberattacks are becoming smarter, faster, and more destructive. That’s why the European Union is stepping in with the NIS2 Directive — a new law that forces organizations to take their digital security seriously. And yes, your organization is probably covered by it too. This blog post explains what NIS2 is, how organizations can implement it, and how NIS2 can strengthen digital cyber resilience.
What is NIS2 and why do you need to act now?
NIS2 stands for Network and Information Security 2. This directive replaces the old NIS law from 2016 and significantly expands its scope. It no longer applies only to vital sectors such as energy, transport, and healthcare, but also to medium and large companies in sectors such as ICT, digital infrastructure, manufacturing, waste management, and even postal services.
Strengthening digital cyber resilience through NIS2 and policies
The NIS2 directive helps organizations strengthen their digital cyber resilience and requires them to:
- Actively manage cyber risks
- Report incidents within 24 hours
- Monitor and secure their supply chain
- Take executive accountability
And this is not just a voluntary checklist. The penalties are substantial — comparable to those under the GDPR — and in some cases, executives can even be held personally liable.
What should you do to strengthen your digital cyber resilience under NIS2 and related policies?
Start with a risk analysis. Identify vulnerabilities, create an incident response plan, and implement both technical and organizational measures. Examples include:
- Encryption and access control
- Backup management and business continuity
- Employee awareness training
Other frameworks that support digital cyber resilience alongside NIS2
Use existing frameworks such as ISO 27001, BIO 2.0, or DNB Good Practice as your foundation. But be careful: NIS2 demands more than just a checkbox approach. You must be able to demonstrate that your measures are effective — and that you continuously monitor them.
Why NIS2 also affects your suppliers
NIS2 looks beyond your own organization. You must also be able to demonstrate the cybersecurity posture of your suppliers. A weak link in the chain can still expose your organization to risks. This means you need to make clear agreements, conduct audits, and collaborate to strengthen digital resilience together.
NIS2: Threat or opportunity?
Yes, NIS2 requires effort. But it also offers opportunities. Organizations that invest in cybersecurity now will:
- Strengthen their reputation
- Increase their reliability
- Become more attractive partners
In short: NIS2 is not a burden, but an opportunity to future-proof your organization.
Want to know if your organization falls under NIS2? Take the NIS2 Quickscan and start preparing today. You can find more articles on digital security right here on this website.
Below you’ll find the FAQ
General Questions
What is NIS2?
NIS2 is the renewed European directive on network and information security. It requires organizations to strengthen their digital resilience and actively manage cyber incidents.
How do I know if my organization falls under NIS2?
Take a NIS2 Quickscan or consult your IT advisor. If you’re unsure, start implementing basic security measures now — prevention is better than cure.
What are the NIS guidelines?
NIS stands for Network and Information Security. This directive ensures that companies improve the cybersecurity of their network and information systems. As a result, they are better protected against cyberattacks and disruptions. All companies that were covered under the first NIS directive must now comply with NIS2.
Your company must follow these guidelines if it operates in a critical societal sector such as food production, consumer goods, or transport. NIS2 is expected to take effect in the third quarter of 2025.
Who does NIS2 apply to?
NIS2 applies to:
- Essential sectors (energy, transport, healthcare, etc.)
- Digital service providers
- Medium and large companies in sectors such as ICT, manufacturing, waste management, and postal services
Small companies usually fall outside the scope — unless they provide essential services.Kleine bedrijven vallen meestal buiten de scope, tenzij ze cruciale diensten leveren.
When does NIS2 take effect?
EU member states must transpose NIS2 into national law by October 17, 2024. From that moment, organizations will need to comply with its requirements.
Call to action
What should you do?
The NIS2 directive introduces several obligations, including risk assessment, incident reporting, and regulatory supervision. Here’s what they mean:
Incident reporting: If you experience a cyberattack or outage, you must report it to the Computer Security Incident Response Team (CSIRT).
Supervision: An independent supervisory authority will check whether you’re properly managing cybersecurity. They’ll assess your risk evaluations, reporting obligations, and security measures.
Risk assessment: Companies are required to perform a risk assessment. Evaluate the risks in your digital systems — such as hacking, outages, or data breaches.
What happens if you don’t comply with the directive?
Failing to report a cyberattack or not following the directive can lead to fines of up to €10 million or 2% of your global annual turnover, whichever is higher.
While penalties may not be issued immediately, companies must demonstrate that they are actively improving their digital security. Supervisory authorities can also require you to strengthen your cybersecurity measures. Moreover, cybersecurity training is mandatory for executives and board members.
Failure to comply with NIS2 can result in:
- Liability for executives
- Reputational damage and loss of trust
- Fines comparable to those under the GDPR
How can I become compliant?
Here’s what you can do:
- Report incidents within 24 hours
- Assess your suppliers’ cybersecurity practices
- Perform a risk analysis
- Implement technical and organizational security measures
Other questions
Do I also need to check my suppliers?
Yes. NIS2 requires you to manage the digital security of your entire supply chain. You must be able to demonstrate that your suppliers meet minimum security standards.
Which standards can I use as a foundation?
You can use the following frameworks:
- NIST Cybersecurity Framework
- DNB Good Practice (for financial institutions)
- ISO 27001
- BIO 2.0 (for government organizations)
