What is NIS2 and when does the directive apply to you

NIS2 in brief

Why the NIS2 directive was introduced

The European Union introduced the NIS2 directive to structurally strengthen the digital resilience of member states. The reason is clear: cyber incidents increasingly affect vital services and business processes. Think of attacks on hospitals, energy providers and government systems. The societal impact of such incidents is significant. A successful attack on a water treatment plant affects not only the company itself, but potentially millions of citizens.

The increasing digitalisation and interdependence of sectors makes it necessary to no longer leave cybersecurity to individual organisations or member states. NIS2 therefore establishes a minimum level that all member states must meet. The goal is to prevent weak links in one member state from undermining the digital security of the entire Union. This approach is logical: cyber threats don't stop at national borders, and an attack on a supplier in one country can bring down an essential service in another.

What NIS2 replaces and strengthens

NIS2 is the successor to the original NIS directive from 2016. That first directive was an important step, but had a limited scope. It focused on a small number of sectors and gave member states considerable freedom in implementation. The result was a fragmented landscape: requirements varied significantly between countries, and many organisations that actually played a crucial role in the digital chain fell outside the scope.

NIS2 addresses these shortcomings on three fronts. First, the scope has been significantly expanded. Where the first directive focused on a limited number of sectors, NIS2 covers eighteen sectors, from energy and healthcare to food production and waste management. Second, the security requirements have become more concrete. Article 21 of the directive lists ten specific measures that organisations must implement at minimum, including risk analysis, incident handling, backup management and supply chain security. Third, supervision and enforcement have been tightened. Fines can reach up to ten million euros or two percent of global annual turnover for essential entities. Board members are also personally responsible for compliance.

What NIS2 actually is

European cybersecurity directive

NIS2 stands for Network and Information Security Directive 2. It is a European directive, meaning that every EU member state must transpose the directive into national legislation. In the Netherlands, this will become the Cybersecurity Act (Cyberbeveiligingswet, Cbw). The legislative proposal was submitted to the House of Representatives in June 2025. The expectation is that the law will come into force in the second quarter of 2026.

Important to know: the NIS2 directive itself has been in force at European level since January 2023 and should have been transposed by all member states by October 2024 at the latest. The Netherlands is behind on this, but that doesn't change the direction. In several EU countries, including Belgium, the law is already in force. Organisations operating across borders or having suppliers in other member states must already take this into account.

Purpose and scope of NIS2

The purpose of NIS2 is to achieve a high common level of cybersecurity across the entire EU. The directive is not aimed at protecting individual organisations, but at safeguarding the continuity of services that are essential for society and the economy. The focus is on limiting societal damage from cyber incidents.

The scope has been deliberately kept broad. NIS2 applies to organisations active in one of the eighteen designated sectors and meeting certain size criteria. The directive distinguishes between two categories: essential entities and important entities. This distinction does not determine which measures you must take (those are the same for both categories), but it does determine how supervision is organised and how high the maximum fines are.

Which organisations NIS2 applies to

Essential entities

Essential entities are large organisations active in the highly critical sectors from Annex I of the directive. Specifically, these are organisations with at least 250 employees, or with an annual turnover of more than fifty million euros and a balance sheet total of more than forty-three million euros. Additionally, certain types of organisations are always essential, regardless of their size. Think of providers of DNS services, top-level domain name registries, trust service providers and central government bodies.

Essential entities fall under the strictest supervisory regime. They are monitored both proactively and reactively. This means a supervisor can come to inspect without there having been an incident. Fines can reach up to ten million euros or two percent of global annual turnover.

Important entities

Important entities are medium-sized organisations in the sectors from both Annex I and Annex II, as well as large organisations from the Annex II sectors. Medium-sized in this case means at least fifty employees, or an annual turnover and balance sheet total of more than ten million euros. The substantive obligations are the same as for essential entities: both must take appropriate measures based on Article 21.

The difference lies in supervision. Important entities fall under reactive supervision. This means the supervisor only intervenes following an incident or signals of non-compliance. The maximum fines are lower: up to seven million euros or 1.4 percent of global annual turnover.

Sectors and examples

The highly critical sectors (Annex I) include energy (electricity, oil, gas), transport (aviation, rail, maritime, road transport), banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), government and space.

The other critical sectors (Annex II) include postal and courier services, waste management, the chemical sector, the food sector, the manufacturing sector (specific branches), digital providers (such as online marketplaces and search engines) and research institutions. In total, an estimated more than ten thousand organisations in the Netherlands fall directly under the directive.

When you fall under NIS2

Size of the organisation

The first criterion is the size of your organisation. NIS2 uses a so-called "size cap": the directive applies in principle to medium-sized and large organisations. Medium-sized means at least fifty employees or an annual turnover and balance sheet total of more than ten million euros. Large means at least 250 employees or a turnover of more than fifty million euros.

It is important to note that these thresholds are assessed per legal entity. For organisations with multiple locations or subsidiaries, each entity is assessed separately. Being part of a larger group offers no protection if your own entity meets the criteria.

Type of service delivery

The second criterion is the sector in which you operate and the type of service you deliver. You fall under NIS2 if your organisation is active in one of the eighteen designated sectors and meets the size criteria. The sectors are divided between Annex I (highly critical) and Annex II (other critical). The qualification depends on the actual activities of your organisation, not on how you position yourself.

For certain types of service delivery, the directive applies regardless of size. This includes trust service providers, DNS service providers, top-level domain name registries and domain name registration service providers. For these categories, it doesn't matter whether you're a startup with ten employees or a multinational.

Role in the supply chain

An aspect that many organisations overlook is the chain effect of NIS2. Article 21 obliges organisations that fall under the directive to also safeguard the cybersecurity of their supply chain. This means that as a supplier to a NIS2 entity, you may indirectly face the requirements of the directive, even if you yourself don't meet the size criteria.

In practice, this translates into contractual requirements. A NIS2 entity can require its suppliers to implement certain security measures, report incidents and provide evidence of compliance. The Centre for Cybersecurity Belgium (CCB) advises organisations in the supply chain to comply with at least the CyberFundamentals "Basic" level. Although this is not formally a legal obligation for the supplier itself, it is increasingly becoming a prerequisite for doing business.

When NIS2 does not (yet) apply

Small organisations

Micro and small enterprises (fewer than fifty employees and an annual turnover and balance sheet total below ten million euros) do not in principle fall under NIS2. The European legislator deliberately chose this threshold to avoid disproportionate burdens on small businesses.

However, there is an exception. The minister responsible for a particular sector can still designate a small company if the risk assessment warrants it. This may be the case, for example, if a small company is the sole provider of a service essential for the continuity of a sector. Additionally, certain types of organisations always fall under the directive, regardless of their size. These include trust service providers and DNS service providers.

Low risk profiles

Organisations not active in one of the eighteen designated sectors do not fall under NIS2, even if they are large. A software company that exclusively develops consumer applications and does not operate in a designated sector falls outside the scope. The same applies to organisations that do operate in a designated sector but whose service delivery has no significant impact on the continuity of essential services.

This does not mean these organisations don't need cybersecurity. It only means that the obligations under NIS2 do not directly apply to them. Other legislation, such as the GDPR, may very well impose requirements on their information security.

Exceptions and nuances

The directive also contains explicit exceptions. Organisations that primarily carry out activities in the field of national security, public safety, defence or law enforcement are excluded from the NIS2 directive. The directive also has a territorial element: for most sectors, you fall under the rules of the member state where you have an establishment. For certain digital sectors, a one-stop-shop system applies, where you fall under the rules of the country where your main establishment is.

A final nuance: in January 2026, the European Commission proposed targeted amendments to increase legal clarity. These amendments are intended to simplify compliance for around 28,700 companies, including 6,200 micro and small businesses that had unintentionally ended up in scope.

What NIS2 expects from organisations

Governance and responsibility

NIS2 explicitly places responsibility for cybersecurity with the board. Board members must approve risk management measures, supervise their implementation and can be held personally liable for non-compliance. The directive also requires board members to undergo training in cybersecurity, so they are able to make informed decisions about security risks.

This is a fundamental shift compared to the first NIS directive, where cybersecurity was often still seen as a technical topic handled at IT level. Under NIS2, it is a board-level matter. In extreme cases, the supervisor can even temporarily suspend board members if an organisation structurally fails to meet its obligations.

Risk management and measures

Article 21 of the NIS2 directive lists ten categories of measures that organisations must implement at minimum. These are appropriate and proportionate technical, operational and organisational measures. "Proportionate" means that the measures must be in proportion to the risks the organisation faces and the impact an incident can have on service delivery.

The ten measure categories include policy on risk analysis and information systems security, incident handling, business continuity and crisis management, supply chain security, security in the acquisition and development of network and information systems, policies and procedures for assessing the effectiveness of measures, basic cybersecurity hygiene practices and training, policy on the use of cryptography, personnel security and access control, and the use of multi-factor authentication.

Incident reporting and supervision

NIS2 sets strict requirements for reporting significant incidents. An incident is significant when it can lead to serious operational disruption or financial loss, or when it can cause considerable harm to other persons or organisations. The reporting deadlines are tight: an initial warning must be submitted within 24 hours of discovery to the competent CSIRT or supervisor. A more comprehensive notification must follow within 72 hours, and a final report must be delivered within one month.

In the Netherlands, supervision is divided among multiple authorities, depending on the sector. The Dutch Authority for Digital Infrastructure (RDI) plays a central role for digital infrastructure and energy. For other sectors, sector-specific supervisors apply, such as the DNB for the financial sector, the ILT for transport and drinking water, and the IGJ for healthcare.

Common misconceptions about NIS2

NIS2 applies to everyone

A persistent misconception is that NIS2 applies to all companies. This is not the case. The directive targets medium-sized and large organisations in specific sectors. Small and micro businesses do not in principle fall under it, unless they provide specific digital services or are designated by a minister. However, smaller organisations may indirectly face NIS2 requirements through their role as a supplier to a NIS2 entity.

NIS2 requires immediate certification

NIS2 does not prescribe specific certification. The directive requires organisations to take appropriate measures and be able to demonstrate this to the supervisor. How you do that is to some extent up to the organisation itself. An ISO 27001 certification or a CyberFundamentals verification can serve as evidence of conformity, but it is not a requirement. In Belgium, NIS2 entities can choose between a CyberFundamentals certification (for essential entities) or verification (for important and basic level), an ISO 27001 certification, or an inspection by the competent authority. Obtaining such certification or verification does have commercial value: it provides a presumption of conformity and strengthens the trust of customers and partners.

Only technical measures are sufficient

NIS2 explicitly requires more than technical measures. The directive demands organisational measures (governance, responsibilities, board member training), operational measures (incident response plans, business continuity, supplier assessments) and technical measures (access management, cryptography, multi-factor authentication). Organisations that focus exclusively on technical security solutions will not meet the obligations.

The relationship between NIS2 and other frameworks

ISO 27001

ISO 27001 and NIS2 complement each other well. ISO 27001 provides a systematic framework for setting up and maintaining an information security management system (ISMS). Many of the measures NIS2 requires correspond to the controls in Annex A of ISO 27001. An organisation that is ISO 27001 certified has a strong foundation for NIS2 compliance, although it is not automatically sufficient. NIS2 sets additional requirements in the areas of incident reporting, supply chain security and board liability that may fall outside the scope of ISO 27001.

In Belgium, ISO 27001 is explicitly recognised as one of the paths to a presumption of conformity under the NIS2 law. The condition is that the scope and the Statement of Applicability are assessed as adequate by the CCB. For organisations already following or considering an ISO 27001 trajectory, it is advisable to include the NIS2 requirements in the scope, so that you serve both goals with one trajectory.

SOC 2

SOC 2 is an American reporting framework focused on the reliability of service delivery, particularly in the context of cloud services and SaaS. It features five Trust Service Criteria: security, availability, processing integrity, confidentiality and privacy. Although SOC 2 is not a European framework and is not mentioned in the NIS2 directive, a SOC 2 report can have value as additional evidence of security measures.

The difference is that SOC 2 is primarily designed to build trust with (North American) customers, while NIS2 is a legal obligation with corresponding supervision and sanctions. Organisations serving both European and American customers often combine NIS2 compliance with a SOC 2 Type II report in practice to meet both expectations.

GRC

GRC stands for Governance, Risk and Compliance. It is not a specific framework, but an overarching approach to managing governance, risk management and compliance in an integrated manner. NIS2 fits within a GRC approach as one of the compliance obligations an organisation must safeguard. By not treating NIS2 as an isolated project but as part of your broader GRC strategy, you avoid duplicate work and ensure that measures you take for NIS2 also benefit other frameworks you follow.

How organisations prepare for NIS2

Creating an overview

The first step is determining whether you fall under the directive and if so, in which category. The Dutch Authority for Digital Infrastructure (RDI) has developed a self-assessment tool that allows Dutch organisations to test whether the Cybersecurity Act applies to them. In Belgium, the CCB offers a comparable scope test. Once you know you're in scope, you map out which systems, processes and data fall under the directive and where the greatest risks lie.

In parallel, it is wise to benchmark your current security level against the measures in Article 21. Where do you already comply? Where are the gaps? This inventory forms the basis for a targeted implementation plan, rather than attempting to tackle everything at once.

Phased approach

NIS2 compliance is not a project you complete in a week. A realistic approach is phased. Start with governance: ensure the board is involved and understands its responsibilities. Then carry out a risk assessment that serves as the basis for selecting appropriate measures. Then implement the measures in order of priority, starting with the areas with the highest risks.

It is useful to choose an existing framework as a guide. The CyberFundamentals framework has three levels (Basic, Important and Essential), each with an increasing number of controls. The level applicable to your organisation depends on your sector and risk profile. The NIS2 Supply Chain framework offers a similar structured approach, specifically focused on the chain responsibilities within NIS2. Both frameworks provide concrete tools to grow step by step towards the right security level.

Moving with growth

NIS2 compliance is not an endpoint but an ongoing process. The directive requires organisations to regularly evaluate their measures and adapt to changing risks. As your organisation grows, launches new services or enters new markets, the risks also change and with them the necessary measures.

That's why it is wise not to approach compliance as an annual project, but as a continuous process integrated into your daily operations. Periodic risk reassessments, regular checks on the effectiveness of measures and structural attention to employee awareness are essential to remain compliant.

How Tidal Control supports NIS2

Structure and insight

Tidal Control supports NIS2 compliance through two frameworks: the NIS2 CyberFundamentals framework and the NIS2 Supply Chain framework. The platform offers pre-built controls and policy templates aligned with the requirements of these frameworks. You start with a foundation that you can adapt to your own situation, rather than starting from scratch. This immediately gives you insight into which measures you've already implemented and where work is still needed.

Through more than 150 automated tests across Microsoft Azure, AWS, GitHub, GitLab, Jira and other tools, the platform continuously checks whether your controls are actually working. The result is an up-to-date overview of your compliance status that you can use towards supervisors, auditors and customers.

Safeguarding responsibilities

NIS2 requires clear responsibilities at every level. In Tidal Control, ownership and tasks are directly linked to specific controls. This ensures every stakeholder knows what is expected of them and when action is needed. Deviations are recorded and tracked through deviation management, ensuring there is a demonstrable improvement process.

For the board, the platform offers management-level insight: dashboards that show how the organisation stands relative to the chosen frameworks, without board members needing to delve into technical details.

Scalability

Tidal Control is designed to grow with your organisation. Whether you start with a basic level of the CyberFundamentals framework or directly pursue the essential level, the platform scales with you. Organisations that follow ISO 27001, SOC 2 or other frameworks alongside NIS2 can combine those trajectories in one central platform. This prevents duplicate work and ensures that controls relevant to multiple standards only need to be implemented and maintained once.

Frequently asked questions about NIS2

Which organisations does the NIS2 directive apply to exactly?

NIS2 applies to medium-sized and large organisations active in one of the eighteen designated sectors. Medium-sized means at least fifty employees or an annual turnover and balance sheet total of more than ten million euros. Certain types of organisations, such as DNS service providers and trust service providers, always fall under the directive, regardless of their size. Additionally, small organisations may indirectly face NIS2 requirements as a supplier to a NIS2 entity.

When does your organisation fall under NIS2 and when not?

You fall under NIS2 if you meet two criteria: you are active in a designated sector and your organisation is at least medium-sized (fifty employees or ten million euros in turnover and balance sheet total). If you fall outside these criteria and do not provide specific digital services for which the size exception applies, you do not in principle fall under the directive. But if you are a supplier to an organisation that does fall under NIS2, you may still face the obligations through contractual requirements.

What criteria determine whether you are an essential or important entity?

The distinction depends on the combination of sector and size. Large organisations (250+ employees or 50 million euros in turnover) in the highly critical sectors of Annex I are essential. Medium-sized organisations in Annex I sectors and medium-sized and large organisations in the Annex II sectors are important. Certain types of organisations, such as central government bodies and trust service providers, are always essential or important, regardless of their size.

What are the most common misconceptions about the scope of NIS2?

The three most common misconceptions are: that NIS2 applies to all companies (it only applies to specific sectors and sizes), that NIS2 requires specific certification (it requires demonstrable measures but does not prescribe certification), and that NIS2 is only about technical security (it also requires governance, supply chain security and board-level responsibility).

How does NIS2 relate to existing frameworks like ISO 27001 and SOC 2?

ISO 27001 provides a strong foundation for NIS2 compliance: many controls overlap. In Belgium, an ISO 27001 certification is recognised as a path to a presumption of conformity. However, NIS2 sets additional requirements in the areas of incident reporting, board liability and supply chain security. SOC 2 is an American framework that can serve as additional evidence, but not as a standalone basis for NIS2 compliance. A GRC approach helps treat NIS2 not as an isolated project, but as part of your broader compliance strategy.