Want to learn more? Download the NIS2 Cheat Sheet.

Want to know if NIS2 applies to your organization, what obligations you face, and how to prepare? Download our NIS2 cheat sheet for a clear overview of all rules, obligations, and timelines.

NIS2 Cheat Sheet
Visual Cheat Sheet NIS2

What is the NIS2?

NIS2 is the updated European directive for network and information systems. The goal is to increase digital resilience in the EU. The NIS2 Directive requires organizations to implement stricter security measures and report incidents more quickly. As a result, NIS2 affects many more sectors and companies than the previous NIS legislation.

Who must comply with NIS2?

NIS2 applies to two types of organizations: essential and important entities. This includes sectors such as energy, transport, healthcare, digital infrastructure, manufacturing, chemicals, and research. Both large and medium-sized companies can fall within its scope.

It's no surprise that many business owners are asking: does NIS2 apply to my company? There is a good chance that the answer is "yes," especially if you are active in one of the designated critical or highly critical sectors.

Wie valt onder NIS2?

What are the NIS2 fines?

NIS2 imposes severe sanctions::

  • Essential entities: up to €10 million or 2% of annual turnover
  • Important entities: up to €7 million or 1.4% of annual turnover

When did the NIS2 Directive take effect?

In Q3 2025, the Dutch Cybersecurity Act came into force, bringing NIS2 into national law. Our cheat sheet outlines everything your organization needs to comply with this directive. This includes your obligations and how to prepare.

The main obligations of NIS2

NIS2 introduces three main obligations and one additional management liability obligation:

1. Registration obligation

Organizations must actively register with the competent authority and provide information such as Chamber of Commerce details and IP addresses.

2. Incident reporting obligation

If their is a (potentially) significant cybersecurity incident, an organization must act quickly:

  • Report within 24 hours

  • Initial analysis within 72 hours

  • Final report with root cause and measures within 1 month

3. Duty of care: cybersecurity measures

NIS2 requires a comprehensive set of security measures, including:

  • Risk analyses

  • Incident response

  • Supply chain security

  • Business continuity plans

  • Cyber hygiene and employee training

  • MFA and secure communication

  • Cryptography policy

Governance: responsibility of management

Directors are required to be actively engaged in cybersecurity, develop adequate knowledge, and may face personal liability.

Want to receive more information?

Leave your details via the form. One of our legal advisors will contact you to arrange a no-obligation introductory meeting by phone, at our office, or at your location.

Submit your details