Skip to content
English
nis2
Cybersecurity law

Network and Information Security Directive (NIS2-directive)

Prevent losing customers

NIS2 explanation

What is NIS2?

NIS2 is the European cybersecurity directive that strengthens digital resilience in essential and important sectors. In the Netherlands, NIS2 is implemented through the Cybersecurity Act (Cbw).

  • Mandatory risk management measures – technical, organizational, and across the supply chain
  • Incident reporting obligation for serious incidents
  • Executive accountability – management must approve and oversee measures and is jointly liable

Which companies fall directly under NIS2?

NIS2 applies to organizations in essential and important sectors. In the Netherlands, an estimated more than 8,000 companies and organizations fall directly under this legislation.

In addition, there are hundreds of thousands of small and medium-sized businesses that are indirectly affected by NIS2 as suppliers to larger organizations.

Not directly subject to the law? You may still be affected indirectly through contractual requirements and audits imposed by NIS2-regulated customers and partners.

Does your organization meet one or more of the criteria below? If so, you may fall directly under the Cybersecurity Act.

50 employees
€10 million annual revenue
€10 million balance sheet total

Note: organizations in vital sectors such as government, telecom, energy, water, banking, or domain registration are always subject to the Cybersecurity Act.

What are the implications?

Organizations subject to NIS2 must have their security fully in order and be able to demonstrate that risks are effectively managed.

Duty of care & risk management

Establishing and maintaining appropriate technical and organizational measures, including supply chain risks.

Joint and several liability

Executive management approves measures, oversees compliance, and follows mandatory training; failure to do so may result in joint and several liability.

Reporting & registration obligations

Timely reporting of serious incidents and registration as an entity in the national register.

Supply chain & contracts

Mandatory management of supplier risks; requirements are embedded in contracts and periodically assessed.

How will your organization be affected?

The transition from NIS1 to NIS2 affects a much broader group of organizations. NIS2-regulated entities must start assessing their suppliers and therefore impose requirements on their supply chain (demonstrable security, contractual obligations, audits), meaning that almost every organization will be impacted by NIS2 requirements.

From a narrow top to a broad base: more and more organizations are affected.

NIS1           

Small group of essential organizations

Number of companies: ± 200
Impact: medium – limited scope & limited supervision

NIS2           

Organizations with legal obligations and supervision

Number of companies: 8,000 – 10,000
Security measures: 10 categories / 100+ measures
Impact: very high – mandatory measures, audits, and sanctions

NIS2-QM30

Vital or business-critical role in the supply chain

Number of companies: hundreds of thousands
Security measures: 6 categories / 67 measures
Impact: high – governance & monitoring required

NIS2-QM20

Processing sensitive data or part of critical supply chains

Number of companies: hundreds of thousands of SME suppliers
Security measures: 6 categories / 36 measures
Impact: medium – explicit security requirements from customers and partners

NIS2-QM10

Organizations with a lower risk profile or limited digital dependency

Number of companies: majority of SMEs
Security measures: 4 categories / 17 measures
Impact: medium/low – demonstrable security becomes a “license to operate”

What does this mean in practice?

Is your organization not directly subject to NIS2? Large customers and public organizations will impose stricter requirements on their suppliers.

Requirements & questionnaires

Extensive security questionnaires, NDAs, and requirements for processes, patching, MFA, backups, monitoring, and more.

Contractual obligations

Security clauses, audit rights, reporting deadlines, and penalty provisions are increasingly included in contracts.

Audits & evidence

Customers request demonstrable evidence: policies, logs, test results, or certifications (such as the NIS2 Quality Mark).

“During a customer audit, we had to demonstrate that we were NIS2-compliant. Thanks to SpySecure, we had everything in order within a week.”
– IT manager, logistics company
“As a healthcare organization, we had to prove that patient data is properly secured and compliant with NIS2. Thanks to SpySecure, we quickly implemented the right security measures and had clear reporting for our auditor.”
– Director, healthcare organization
“For a major new construction project, our customer requires demonstrable security and NIS2 compliance. This is now contractually enforced. With SpySecure, we quickly gained insight and a solution we could start with immediately.”
– Project manager, construction company
NIS2 Quality Mark logo

What is the NIS2 Quality Mark?

The NIS2 Quality Mark is a European certification that helps organizations demonstrate compliance with the key requirements of the NIS2 Directive. It was developed by DigiTrust and the Quality Innovation Foundation to support organizations in improving their digital resilience and strengthening trust across the supply chain.

The certification consists of three maturity levels:

  • QM10 – Basic: for organizations with a low risk profile or limited digital dependency.
  • QM20 – Substantial: for organizations that process sensitive data or are part of critical supply chains.
  • QM30 – High: for organizations with a vital or business-critical role in the supply chain.

With the NIS2 Quality Mark, you demonstrate that your organization takes cybersecurity seriously and complies with European regulations — an important signal to customers, partners, and regulators.

NIS2 compliance without hassle

Compare for yourself: the traditional approach versus our all-in-one solution.

Without SpySecure

  • ❌ Unclear obligations and priorities
  • ❌ Disconnected tools and services that don’t integrate
  • ❌ No clear visibility or demonstrable reporting
  • ❌ Stress and time pressure during audits and customer requests
  • ❌ High costs due to fragmented solutions

With SpySecure

  • ✅ Clear explanation of obligations and next steps
  • ✅ All-in-one security and compliance package
  • ✅ Real-time visibility and clear reporting
  • ✅ Support for audits and demonstrable compliance
  • ✅ Flexible and affordable, tailored to your organization