NIS2 is no longer an abstract directive sitting on paper in Brussels. With the Dutch implementing act, the Cybersecurity Act (Cyberbeveiligingswet), it becomes operational. During our webinar “NIS2 comes to life: from directive to reality” on 15 January 2026, we explored the practical implications of this new legislation together with many participants. What does NIS2 really mean for organisations? Where should you start? And how do you avoid unpleasant surprises later on?
The high level of engagement during the webinar was evident from the many questions raised, which we were unable to address in full at the time. In this blog, we answer them one by one. In doing so, we make the step from theory to practice more concrete and help you navigate NIS2 in day-to-day operations.
How does the Act apply to a small Dutch undertaking that is a subsidiary of a group established abroad?
Where a Dutch entity is a subsidiary of a foreign group, the starting point is the group as a whole. Subsequently, each entity and establishment must be assessed individually to determine whether, and to what extent, NIS2 applies.
The government has issued guidance for complex corporate structures. Further information is available in that guidance.
What about healthcare providers currently certified under NEN 7510:2017 and declaring all controls applicable? Do they comply with the duty of care, or are additional measures required?
Healthcare providers currently certified under NEN 7510:2017 will need to transition to NEN 7510:2024 in order to remain certified. This transition must be completed by early 2027 and is separate from the obligations under NIS2.
The ministerial regulation issued by the Ministry of Health, Welfare and Sport provides that organisations complying with NEN 7510:2024 (or an equivalent standard) meet the duty of care under the Cybersecurity Act. In that case, no additional measures are required in respect of the duty of care. However, you must still take into account the registration, notification and governance obligations under the Cybersecurity Act.
Certification is not mandatory, but it significantly facilitates demonstrable compliance with statutory requirements.
Is NEN 7510 not mandatory for all healthcare providers?
That is correct. Certification under NEN 7510 is not mandatory. However, many healthcare providers must be able to demonstrate compliance with the standard. This applies, for example, to providers subject to the Healthcare Quality, Complaints and Disputes Act (Wkkgz) and the Regulation on the Use of the Citizen Service Number in Healthcare.
We are also subject to DORA. What additional measures must we take to comply with NIS2?
DORA constitutes lex specialis in relation to NIS2. This means that DORA prevails in the event of overlap or conflict between the two regimes.
That said, certain elements may fall outside the scope of DORA. For those elements, additional obligations under NIS2 may still apply. The specific measures required will depend on what has already been implemented and how your compliance framework is structured.
Can you terminate a contract with a supplier under NIS2 if the supplier cannot meet the requirements?
If a supplier is unable to comply with contractual or statutory obligations, such as those arising under the Cybersecurity Act implementing NIS2 in the Netherlands, this will often provide grounds for termination or rescission of the agreement.
Many contracts contain standard clauses allowing termination or rescission in the event of breach, for example after notice of default and the expiry of a reasonable period to remedy the breach.
NIS2 also emphasises the importance of contractually defining clear information security and cybersecurity requirements with suppliers.
Is an ISAE 3402 assurance report from a supplier sufficient for NIS2 compliance?
That depends entirely on the scope of the ISAE 3402 report. Such reports are often primarily financial in nature and not specifically focused on information security or cybersecurity.
Alternatives such as ISAE 3000 or SOC 2 reports may be more relevant in the context of NIS2. However, here too the scope is decisive. An assurance report is only meaningful if it actually covers the relevant security measures.
Translating NIS2 into concrete measures
NIS2 requires more than legal knowledge alone. It demands insight into processes, technology, governance and contractual arrangements. Through our webinar, we provided guidance on how organisations can translate legislative requirements into practical measures in daily operations.
By gaining timely insight into your obligations, applying the appropriate standards and properly documenting arrangements with suppliers, you can avoid complications later. Whether you are just starting or have already taken steps, a focused analysis will help make NIS2 manageable.
Want to know more?
Would you like to understand what NIS2 specifically means for your organisation? Or do you need support with implementation, contracts or regulatory supervision? We are happy to assist.
