Which organizations does NIS2 apply to?
The law applies to organizations that are active in one of the designated sectors and that meet the size thresholds. Its scope is considerable, spanning a broad range of sectors. The legislator distinguishes between highly critical sectors, including energy, healthcare, and digital infrastructure, and other critical sectors, such as food production, chemicals, and manufacturing.
The size thresholds are as follows:
- Medium-sized organizations: 50 or more employees, or annual turnover and balance sheet total exceeding €10 million.
- Large organizations: 250 or more employees, or annual turnover exceeding €50 million and a balance sheet total exceeding €43 million.
Supply chain accountability is also relevant. Organizations that do not fall directly under the law may still be affected if they provide services to parties that do. Those parties must demonstrably maintain control over their supply chains and will pass that obligation on to their vendors. For example, through contractual requirements around information security and incident reporting.
What exactly does NIS2 require?
NIS2 contains three obligations: a registration requirement, a reporting requirement, and a duty of care.
Registration requirement: Organizations within scope must register in the entity register with the competent supervisory authority for their sector.
Reporting requirement: Significant cybersecurity incidents must be reported to the Dutch Authority for Digital Infrastructure (RDI) within 24 hours, with a full report within 72 hours and a final report within one month.
Duty of care: This is the most demanding component. Organizations must demonstrably have taken measures across a range of areas: risk management, access controls, encryption, incident response, continuity planning, vendor management, and data management. Board members are personally accountable for this.
Comparing the duty of care measures against existing security policies, for example, those based on the ISO 27001 standard, reveals considerable overlap. Multi-factor authentication, patch management, access controls, endpoint protection, backup and recovery, awareness training: these are measures that every mature IT environment should already have in place. NIS2 does not so much introduce new obligations as provide a legal foundation for them. And one thing that is frequently underestimated: an incident reporting procedure that has never been practiced does not truly exist. Where organizations previously conformed to a standard such as ISO 27001 on a voluntary basis or through contractual agreements, that same approach is now a statutory requirement for those within scope.
The interconnection of measures
All measures ultimately serve one purpose: the protection of data. Networks, access controls, and patch management are means, not ends in themselves. Data is what ransomware, DDoS attacks, and data breaches target, making it the cornerstone of the duty of care. That is precisely why it pays to think not in terms of individual measures, but in terms of their interconnection. No matter how well multi-factor authentication is configured, without a reliable backup, current data classification, or well-considered archiving, a gap remains.
The same logic applies to the supply chain. Few organizations operate independently, and in the IT sector, dependencies on external parties are the rule rather than the exception. Cloud providers, managed service partners, software developers, and data processors almost always interact with the information flows that fall under the duty of care. A data landscape is therefore only as strong as the weakest link in the chain. An organization that has its own environment in order but lacks visibility into the security maturity of its vendors is left with a blind spot that both attackers and regulators can exploit.
Organizations that configure data lifecycle management, encryption, backup, and archiving as a coherent whole, and extend that coherence to their vendors, are building a foundation that satisfies both NIS2 requirements and the broader continuity of the organization.
Compliance is not a finish line
NIS2 compliance is not a project with an end date. Threats evolve, systems change, and supply chains shift. A measure that is adequate today may fall short in six months. NIS2 therefore calls not for a one-time snapshot, but for an ongoing process of monitoring, evaluation, and improvement.
Organizations that understand this become genuinely resilient. Not because the law requires it, but because it is the only way security holds up in practice.
A practical starting point
Preparing for NIS2 begins with three steps:
- Scope assessment: does your organization fall directly under the law, and which vendors in your supply chain do as well?
- Gap analysis of the duty of care measures: which are already in place, which are missing, and what should be prioritized?
- Incident reporting procedure: ensure it is documented and has been tested.
Most organizations are further along than they realize. NIS2 primarily provides a legal foundation for measures that are already largely in place in mature IT environments. A structured baseline assessment makes clear where you stand and what remains to be addressed, without requiring a complete overhaul.