Executives can be held personally liable under NIS2 in cases of demonstrable negligence in the area of cybersecurity.

As of October 2024, the European NIS2 Directive (Network and Information Security Directive 2) will also apply in the Netherlands. The goal of this directive is to improve the digital resilience of companies and institutions and to strengthen cybersecurity across the EU. But what exactly does NIS2 entail, and what are the practical implications for your organization?

What is the NIS2 directive?

NIS2 is a stricter successor to the original NIS Directive from 2016. Due to the rise in cyber incidents and threats, the previous regulation proved to be insufficiently effective. The new directive therefore significantly expands its scope. Companies with 50 or more employees, or with an annual turnover of at least €10 million, in certain sectors are now explicitly required to meet stricter cybersecurity standards.

In addition, NIS2 imposes tougher requirements on organizations’ cybersecurity policies. Companies must demonstrably invest in prevention, detection, and response to cyber incidents. Executives also bear more responsibility under NIS2 and can be held personally liable in cases of negligence.

Which organizations are directly affected by NIS 2?

The NIS2 Directive applies directly to medium-sized and large companies in sectors considered essential or important to society, including:

• Energy companies

• Healthcare institutions

• Drinking water suppliers

• Digital infrastructure (such as IT service providers, data centers, cloud providers)

• Financial institutions

• Transport and logistics

• Manufacturing and industry

• Food supply chains

Is NIS2 only for medium and large companies?

It’s true that NIS2 primarily targets medium and large organizations in the sectors mentioned above. However, more and more smaller companies will be affected indirectly, even if they do not fall directly under the legislation.

This is because larger companies are held responsible for cybersecurity across their entire supply chain. As a result, they will increasingly demand that their smaller suppliers and partners also improve their cybersecurity measures. For smaller businesses, good cybersecurity will become a growing prerequisite for continued collaboration with larger partners.

In practice, this means that even smaller companies may soon face stricter cybersecurity requirements—despite not (yet) being formally covered by NIS2.

What does this mean for your organization in practice?

Companies that fall under NIS2 (or are affected indirectly through clients or partners) have clear obligations. For example, they must:

• Actively identify cybersecurity risks

• Implement appropriate security measures

• Ensure employees receive adequate cybersecurity-awareness training

• Report incidents promptly and clearly to authorities

The government will actively monitor compliance. In case of shortcomings, sanctions may follow, such as warnings or substantial fines (up to 2% of annual revenue).

What can you do now?

It’s wise to start preparing with some proactive steps:

• Clearly map out the cyber risks within your organization

• Provide regular cybersecurity-awareness training for your employees

• Put cybersecurity on the agenda at the board or management level

• Develop a clear incident response plan and test it periodically

Need help preparing?

Want to be sure your organization is ready for NIS2? At Mindgame, we help organizations with innovative, gamified cybersecurity-awareness programs like Cyberwise. This not only strengthens your cyber resilience, but also helps you meet NIS2 requirements effectively.

👉 Lees in deze blog hoe CyberWise hierbij kan helpen: [Unlock Cybersecurity Awareness with CyberWise: The Game That Secures Your Organization] 

Of ontdek zelf hoe CyberWise werkt met een gratis demo.

🔗 Interesse? Bekijk hier onze site