Cybersecurity obligations for more companies in critical sectors (NIS2)

Published by:
Netherlands Enterprise Agency, RVO
Netherlands Enterprise Agency, RVO
Effective date: 3rd quarter of 2025

What changes?

More companies and organisations in critical sectors will have obligations (duty of care and reporting duty) to increase cybersecurity and counter cyberattacks. These obligations are set out in the European Network and Information Security directive (NIS2).

What is the NIS2 directive?

The NIS2 directive is meant to help achieve a higher level of cybersecurity for network and information systems in companies and organisations. The directive aims to ensure that EU countries better protect themselves against threats that could disrupt society or the economy. The NIS2 directive is the successor to the first NIS directive. This directive, also known as the NIB, was incorporated in the Security of Networks and Information Systems Act (Wbni).

For whom?

For the NIS2 directive sectors have been added to the sectors already covered by the first NIS directive. Thus, more public and private organisations will be covered by the NIS2 directive.

You organisation is covered by the NIS2 directive if:

  • your organisation is active in 1 of the sectors listed in Annex I or Annex II of the NIS2 directive, and
  • you have a medium-sized organisation with at least 50 employees or an annual turnover or balance sheet total over €10 million (your organisation is an important entity), or
  • you have a large organisation with more than 250 employees or a net turnover of over €50 million and a balance sheet total of more than €43 million (your organisation is an essential entity)

Annex I of the NIS2 directive lists very critical sectors:

  • energy
  • transport
  • banking
  • financial markets infrastructure
  • healthcare
  • drinking water
  • digital infrastructure
  • ICT services management (business-to-business)
  • wastewater
  • public administration
  • space activities

Annex II of the NIS2 directive lists other critical sectors:

  • digital providers
  • postal and courier services
  • waste management
  • manufacturing, production, and distribution of chemicals
  • production, processing, and distribution of food
  • research
  • manufacturing

NIS2 for micro or small business in a critical sector

Micro and small business that are automatically covered by the NIS 2 directive are:

  • trust service providers
  • top-level domain name registries
  • domain name registration service providers
  • providers of public electronic communication networks
  • providers of publicly available electronic communications services

Government organisations active in the sectors listed above are also automatically covered by the NIS 2 directive.

The minister can designate micro or small companies. For example, if your services are of vital importance to the Dutch economy or society. If this is the case, you will be informed.

Which obligations does the NIS2 directive impose?

If your organisation is covered by the NIS2 directive, the duties that the NIS2 directive dictates are:

  • Duty of care – You must carry out a risk assessment. Based on this risk assessment you should take measures to guarantee continuation of services as much as possible and protect the information used.
  • Duty to report – You have to report incidents to the supervising authority within 24 hours. It concerns incidents that (can) significantly disrupt the provision of the essential services. Does it concern of a cyber incident? Then this must also be reported to the Cyber Security Incident Response Team (CSIRT). Whether an incident is subject to the duty to report depends on several factors. For example, the number of people affected by the disruption, the duration of the disruption, and the potential financial losses.
  • Supervision – Organisations covered by the NIS2 directive will be under supervision. The supervisory body will look at compliance with the obligations of the directive, such as the duty of care and the duty to report. It is currently being worked out which sectors will fall under which supervisory body.

How can you prepare?

Before the national legislation is ready, organisations can prepare for their duty of care. They can do so by taking measures to improve safety and resilience of their processes and services. Check the National Cyber Security Centre's (NCSC) guide to Cyber Security Measures (pdf) and do their Basic Cyber Resilience scan (in Dutch). The Digital Trust Center has listed a number of measures to help organisations protect themselves against the risks of and damage by cyber attacks.

Consequences of delay in transposition of NIS2 directive into national law

The Cybersecurity act was supposed to come into force in October 2024. However, transposing the NIS2 Directive into the Cybersecurity act (Cyberbeveiligingswet) is taking more time than expected. Until then, entities covered by law under the NIS2 Directive have certain rights, such as receiving social assistance in the event of a cyber incident from a Computer Security Incident Response Team (CSIRT). The obligations in the NIS2 Directive will only take effect once the Cybersecurity Act comes into force. The Security of Networks and Information Systems Act (Wbni) will continue to apply until the Cybersecurity Act enters into force. This means the rights and obligations under the Wbni will continue to apply for organisations already covered by that act. Read more on the consequences of this delay (in Dutch).

When?

It is expected the new law will enter into force in the third quarter of 2025. From then on, organisations covered by the NIS2 directive have to fulfil the duty of care and duty to report.

Please note: The effective date of this measure is not yet final. Entry into force is subject to its passing through the Lower and Upper Houses (Tweede en Eerste Kamer) of parliament. After publication in the Staatsblad or Staatscourant (Government Gazette, in Dutch) the law can take effect.

This article is related to:

Questions relating to this article?

Please contact the Netherlands Enterprise Agency, RVO