The NIS2 Directive is a European legislation that requires organizations with an essential or important societal role to strengthen their cyber resilience. It introduces tightened standards for security, risk management and incident reporting, helping the EU better protect the digital foundation of vital sectors.
Want to know if NIS2 applies to your organization, what obligations you face, and how to prepare? Download our NIS2 cheat sheet for a clear overview of all rules, obligations, and timelines.
NIS2 Cheat SheetNIS2 is the updated European directive for network and information systems. The goal is to increase digital resilience in the EU. The NIS2 Directive requires organizations to implement stricter security measures and report incidents more quickly. As a result, NIS2 affects many more sectors and companies than the previous NIS legislation.
NIS2 applies to two types of organizations: essential and important entities. This includes sectors such as energy, transport, healthcare, digital infrastructure, manufacturing, chemicals, and research. Both large and medium-sized companies can fall within its scope.
It's no surprise that many business owners are asking: does NIS2 apply to my company? There is a good chance that the answer is "yes," especially if you are active in one of the designated critical or highly critical sectors.
NIS2 imposes severe sanctions::
In Q3 2025, the Dutch Cybersecurity Act came into force, bringing NIS2 into national law. Our cheat sheet outlines everything your organization needs to comply with this directive. This includes your obligations and how to prepare.
NIS2 introduces three main obligations and one additional management liability obligation:
Organizations must actively register with the competent authority and provide information such as Chamber of Commerce details and IP addresses.
If their is a (potentially) significant cybersecurity incident, an organization must act quickly:
Report within 24 hours
Initial analysis within 72 hours
Final report with root cause and measures within 1 month
NIS2 requires a comprehensive set of security measures, including:
Risk analyses
Incident response
Supply chain security
Business continuity plans
Cyber hygiene and employee training
MFA and secure communication
Cryptography policy
Directors are required to be actively engaged in cybersecurity, develop adequate knowledge, and may face personal liability.