The NIS2 directive is being implemented in the Netherlands through the Cybersecurity Act, which is expected to come into force in the second quarter of 2026. Although the law is not yet active, it is wise to start preparations now. Organizations that wait until the last month risk not being compliant in time and miss the opportunity to structurally embed cybersecurity in their business operations.
In this article, we provide a clear overview of what NIS2 requires from your organization and how you can prepare.
Who does NIS2 apply to?
The NIS2 directive focuses on two categories of organizations. Essential entities operate in sectors such as energy, transport, banking, healthcare, drinking water, digital infrastructure, government services, and space. Important entities operate in sectors such as postal services, waste management, food production, chemical industry, and digital services.
The directive applies to medium-sized organizations with 50-250 employees or a turnover of €10-50 million, and to large organizations with more than 250 employees or a turnover above €50 million. Smaller organizations may also fall under the law if they play a crucial role in the supply chain.
The core requirements of NIS2
NIS2 prescribes a broad package of measures. These can be divided into four themes.
Governance and policy
Organizations must conduct a thorough risk analysis and establish a security policy that is regularly evaluated. The board bears explicit responsibility: they must approve security measures and undergo cybersecurity training themselves. In case of non-compliance, board members can be held personally liable.
Technical security
Technically, NIS2 requires multi-factor authentication for access to critical systems, encryption of sensitive data and secure communication, access management based on need-to-know, and security by design in the procurement and development of systems.
Operational measures
Daily operations must be in order. This means awareness training for all employees, a strict password policy, timely software updates and patch management, and active supplier management where you assess and monitor the security of your supply chain.
Incident and continuity
Organizations must have procedures for detection, response, and recovery from security incidents. In addition, backup management, disaster recovery plans, and crisis management procedures are mandatory to ensure business continuity.
Reporting obligation and sanctions
One of the most concrete obligations is the incident reporting requirement. In the event of a significant security incident, you must send an early warning to the regulator within 24 hours, submit a full incident report within 72 hours, and submit a final report with analysis and measures taken within one month.
The sanctions for non-compliance are substantial. Essential entities risk fines of up to €10 million or 2% of global turnover. For important entities, the maximum is €7 million or 1.4% of turnover. This makes NIS2 a directive to take seriously.
How uComply helps your organization
uComply offers an integrated solution to meet all NIS2 requirements. With automated risk assessment and predefined NIS2 controls, you can quickly map your risks. The complete incident registration workflow ensures you can meet the reporting obligation. All policy and procedure documents are stored centrally, and with the real-time dashboard, you maintain control over your compliance status.
The uComply NIS2 Content Pack contains predefined controls based on NIS2 requirements, ready-to-use policy templates, audit checklists, and gap analysis tools. This way, you don't have to start from scratch and can immediately begin your preparation.
%20control%20framework%20nu%20beschikbaar%20in%20uComply.png)
