Guide Compliance Cybersecurity

NIS2 is in force: what your organisation needs to have in place now

The NIS2 Directive became enforceable across EU member states on 17 October 2024. Most large and medium enterprises in the Netherlands are now subject to it whether they know it or not. This guide covers who is in scope, the 10 mandatory security measures, and the incident notification timelines that trip up organisations the most.

CT
Cyvra Team
Cyvra Consultancy
1 May 2026
7 min read
Key takeaways
  • Around 160,000 entities across the EU are now in scope, far more than NIS1 covered
  • You have 24 hours to file an early warning after discovering a significant incident
  • Management bodies are personally liable if the required measures are not implemented
  • Article 21 mandates 10 specific security measures, from supply chain security to MFA
  • Essential entities face fines up to €10 million or 2% of global annual turnover

Why NIS2 is a fundamentally different obligation

NIS1 covered roughly 5,000 entities across the entire EU. NIS2 brings approximately 160,000 into scope. That jump explains why so many organisations are currently scrambling: the original directive targeted critical infrastructure operators and a narrow set of digital service providers. NIS2 extends to medium and large enterprises across 18 sectors, including healthcare, financial services, manufacturing, food production, and postal services.

The other significant change is enforcement. Under NIS1, member states handled compliance and penalties varied widely. NIS2 specifies fines directly in the directive text: up to €10 million or 2% of global annual turnover for essential entities (whichever is higher), and up to €7 million or 1.4% of global turnover for important entities. National regulators in the Netherlands (the NCSC and sector-specific bodies) now have authority to audit, sanction, and publicly name non-compliant organisations.

Senior management personal liability is also new. Under NIS2, your board can be held directly responsible for approving and overseeing cybersecurity risk management measures. If a breach occurs and your organisation cannot demonstrate that management took their obligations seriously, individual directors face exposure.

160,000
entities in scope across the EU, up from ~5,000 under NIS1
€10M
maximum fine for essential entities, or 2% of global annual turnover
24h
to submit your initial incident notification to the competent authority

Are you in scope?

NIS2 sorts entities into two tiers based on sector and size. Essential entities come from 11 critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities come from seven additional sectors: postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, computers, machinery, motor vehicles), digital providers (online marketplaces, search engines, social platforms), and research organisations.

Size thresholds matter for both tiers. Medium enterprises (50 to 249 employees, or €10 million to €49 million annual turnover) and above generally fall within scope. Small enterprises (fewer than 50 employees, under €10 million turnover) are typically exempt, with exceptions for certain categories such as sole providers of critical services in their member state.

Some entities are in scope regardless of size. DNS providers, TLD name registries, cloud computing providers, data centre operators, content delivery networks, and managed security service providers all qualify automatically. If your organisation sits in any of these categories, the headcount question is irrelevant.

UK note

NIS2 applies within EU member states only. The UK operates under its own Network and Information Systems Regulations (2018), which are updated separately by the DCMS. If your organisation has EU operations or EU-based customers, those operations are subject to NIS2 even if your headquarters sits in London. The UK is expected to introduce a revised NIS framework, but no transposition date has been set as of early 2026.

The 10 security measures under Article 21

Article 21 of NIS2 specifies the minimum security measures all in-scope entities must implement. These are not aspirational guidelines. Regulators can audit compliance against each of them.

1
Risk analysis and information security policies
A documented risk management framework covering your network and information systems, reviewed at defined intervals.
2
Incident handling
Detection, analysis, containment, eradication, and recovery procedures, including defined roles and a tested incident response plan.
3
Business continuity, backup management, and disaster recovery
Tested backup processes covering critical systems, with recovery time and recovery point objectives defined and validated.
4
Supply chain security
Assessment of the security posture of direct suppliers, including contractual security requirements and ongoing monitoring.
5
Security in system acquisition, development, and maintenance
Secure development practices, vulnerability disclosure processes, and patch management procedures.
6
Policies to assess the effectiveness of cybersecurity measures
Regular testing, reviews, and audits, such as penetration testing and internal assessments.
7
Basic cyber hygiene and cybersecurity training
Baseline controls (patching, access control, anti-malware) and mandatory training for all staff, including senior management.
8
Policies on cryptography and encryption
Documented use of encryption for data at rest and in transit, with key management procedures in place.
9
Human resources security, access control, and asset management
Joiners, movers, and leavers processes, least-privilege access principles, and a maintained asset inventory.
10
Multi-factor authentication and secure communications
MFA for all privileged access, and secured channels for voice, video, and text communications internally.

Most organisations already have partial controls across these areas. The gap is rarely total absence of controls. It tends to be undocumented processes, untested recovery plans, and supply chain clauses that exist on paper but have never been validated.

Incident notification: the three deadlines

NIS2 introduces a three-stage notification requirement for significant incidents. A significant incident is one that causes or risks causing serious operational disruption or financial loss, or affects other entities or other member states.

The timelines run from when your organisation becomes aware of the incident, not from when it started.

  • 24 hours: early warning. Notify the relevant CSIRT or competent authority that a significant incident has occurred. At this stage, a brief description and an indication of whether the incident appears to be intentional or malicious is sufficient.
  • 72 hours: incident notification. A fuller assessment: initial severity, indicators of compromise, and affected services.
  • 1 month: final report. A complete analysis covering root cause, remediation steps taken, any cross-border impact, and lessons learned.

The 24-hour deadline catches most organisations off-guard because incident response processes typically focus on containment first, notification second. If your incident response plan does not include a regulatory notification step in the first hour of a declared incident, it needs to be updated before a real event forces the issue.

Important

Notifying your competent authority within 24 hours does not require you to have a complete picture of the incident. The early warning exists precisely to give authorities time to help. Delaying notification while you investigate is the common mistake, and it is what attracts enforcement attention.

Management accountability: the part most organisations miss

NIS2 Article 20 places explicit obligations on senior management. Boards and C-suite executives must approve cybersecurity risk management measures, oversee their implementation, and receive regular cybersecurity training.

This is genuinely new territory. Previously, cybersecurity was an IT function that management received annual briefings on. Under NIS2, board members can face personal sanctions for infringements. The directive requires member states to hold management personally liable, and national regulators are expected to pursue individuals, not just fines against the organisation.

The training obligation is concrete: management must complete cybersecurity training sufficient to identify and assess cybersecurity risks and evaluate their impact on business operations. Many boards are not currently equipped to demonstrate this. A one-page briefing memo does not satisfy the requirement. A documented training programme, with attendance records, does.

What to do now

If you have not already mapped your NIS2 exposure, do it in the next 30 days. Start with sector and size to confirm your tier, then work through Article 21 as a compliance checklist, noting where you have documented evidence versus where controls exist informally.

  • Determine your entity tier (essential or important) and confirm your registration obligation with the relevant national authority in each EU member state where you operate.
  • Map Article 21 against your current controls. Prioritise documented gaps over informal ones: regulators look for evidence, not verbal assurance.
  • Update your incident response plan to include the three-stage notification process and name the individual responsible for regulatory communication during an incident.
  • Review supplier contracts. Security clauses need to be enforceable and include right-to-audit provisions for your most critical third parties.
  • Run a board-level training session and document it. Board minutes noting cybersecurity discussion are useful; a structured training programme with attendance records is better.
  • Commission an independent gap assessment if you have not already. A competent authority audit will cover the same ground, at far less convenient timing.

NIS2 enforcement is active in the Netherlands. The NCSC and sector supervisors are working through registration requirements and initial audits now. An organisation that comes to a regulator with a completed gap assessment and a remediation roadmap is in a materially different position from one that has done nothing.

Frequently asked questions

Who does NIS2 apply to?

NIS2 applies to organisations in 18 critical sectors across the EU, covering around 160,000 entities. Essential entities include energy providers, transport operators, banks, healthcare organisations, and digital infrastructure providers. Important entities include postal services, waste management, food producers, chemical companies, and digital service providers. Any organisation with 50 or more employees or €10 million in annual turnover operating in these sectors is likely in scope.

What are the 10 mandatory security measures under NIS2 Article 21?

Article 21 requires: risk analysis and information system security policies; incident handling; business continuity including backup management and disaster recovery; supply chain security; security in network and information systems acquisition; policies for assessing the effectiveness of security measures; basic cyber hygiene practices and cybersecurity training; policies on the use of cryptography and encryption; human resources security; and access control, asset management, and the use of multi-factor authentication.

What are the NIS2 incident notification deadlines?

NIS2 sets a three-stage notification process. You must submit an early warning to your national competent authority within 24 hours of becoming aware of a significant incident. A more detailed incident notification follows within 72 hours. A final report is required within one month, covering a full description of the incident, its severity, the type of threat involved, and any cross-border effects.

Can senior managers be personally liable under NIS2?

Yes. NIS2 Article 20 requires management bodies to approve the cybersecurity risk management measures and oversee their implementation. If a breach occurs and the investigation finds management was negligent in fulfilling these obligations, individuals can be held personally liable. For essential entities, national authorities can temporarily prohibit a natural person from exercising managerial responsibilities.

What is the maximum fine for NIS2 non-compliance?

For essential entities, NIS2 fines can reach €10 million or 2% of global annual turnover, whichever is higher. For important entities, the maximum is €7 million or 1.4% of global annual turnover. Supervisory authorities can also issue binding instructions, mandatory security audits, and temporary restrictions on providing services.

Talk to Cyvra

Not sure if you're in scope for NIS2?

We run NIS2 gap assessments for organisations in the Netherlands and UK. A clear picture of where you stand beats guessing.

Get in Touch Our Compliance Services