Skip to content
🔒 Free Cybersecurity Quickscan for scale-ups and SMEs. Reserve now →
Trusted by 100+ scale-ups and SMEs. Check our packages →
English
NIS2

Work towards NIS2 and gain control over cyber risks and evidence

 

NIS2 introduces stricter requirements for the cyber resilience of organisations and their suppliers. SpySecure® helps you quickly understand what NIS2 means for your organisation and work in a structured way towards the right measures, evidence and compliance.

What is NIS2?

NIS2 takes effect on 1 July 2026 and puts cybersecurity firmly on the board agenda

NIS2 is European cybersecurity legislation that will take effect in the Netherlands through the Cybersecurity Act. For organisations that are directly or indirectly affected, this means more than additional IT security alone: it requires policies, evidence, supplier control, incident processes and executive involvement at management level.

Why this is urgent
Many organisations underestimate how much work NIS2 requires in practice
The real work is not only technical. It is also about governance, risk decisions, suppliers, evidence, incident processes and internal follow-up. As a result, security, compliance and audit providers become busier, and starting too late becomes more expensive and more difficult.
What management and leadership explicitly need to do
Approve measures, supervise implementation, follow training and be able to show that cyber risks have been taken seriously in decision-making.
Why starting now is sensible
Because the bottleneck is usually policy, ownership, supply chain control and evidence, not one isolated technical measure.
Which organisations fall directly under NIS2?
NIS2 applies directly to essential and important entities in designated sectors, such as energy, transport, healthcare, digital infrastructure, cloud and managed services, drinking water, government, manufacturing and other critical sectors. For these organisations, cybersecurity becomes an explicit legal obligation with supervision and enforcement.
Why should management and boards take this seriously now?
NIS2 explicitly places responsibility higher in the organisation. Management must approve cybersecurity measures, supervise their implementation and follow relevant training. The directive also explicitly states that management can be held liable for infringements by the organisation. This cannot be treated as just an IT topic.
Why does this also affect many suppliers and supply chain partners?
NIS2 requires organisations to better manage risks in their supply chain and with suppliers. This is not limited to IT suppliers, but includes all parties that influence continuity, processes, data or operational resilience. Think of accountants, logistics providers, manufacturing partners, software suppliers and other critical supply chain partners. As a result, many companies will face additional questions, controls and audit pressure from customers, even if they do not fall directly under NIS2 themselves.
Why organisations get stuck

Without structure, NIS2 preparation becomes slow, expensive and chaotic

Many organisations already have separate measures, policies and documents in place. The challenge is to bring everything together into one clear approach with proper ownership, supplier follow-up, audit preparation and management oversight. This is often where organisations get stuck.

Evidence and documentation are fragmented
Policies, risk assessments, technical reports, screenshots, supplier documents and action points are often spread across SharePoint, folders, spreadsheets and e-mail. This makes it time-consuming to gain oversight, and the overall picture is quickly lost.
It requires alignment across multiple teams
IT, security, operations, management, HR, legal, procurement and suppliers often all need to provide input or follow up on actions. Without clear structure, tasks remain open, ownership becomes unclear and delays occur.
Suppliers need to be actively assessed
NIS2 does not stop at your own organisation. Suppliers and supply chain partners must also be included. In practice, this is often difficult because information is missing, questionnaires remain unanswered or responsibilities are unclear.
Audit preparation quickly becomes chaotic
When evidence, status and open points are not organised centrally, an audit or external assessment quickly becomes unclear and expensive. Too much time is then spent searching, aligning, duplicating work and fixing issues at the last minute.
Management needs oversight, not scattered documents
Management and the board need to supervise risks, measures, progress and open points. That is not possible when information is spread across different systems, documents and teams.
Starting too late makes the process much more expensive
Organisations that start late often have to create policies, collect evidence, contact suppliers and resolve open risks all at the same time under time pressure. This requires more internal time, more external support and usually leads to more remediation work.
What you need

Complying with NIS2 requires more than good technology alone

To work towards NIS2 in a structured way, your organisation needs more than security measures alone. You also need to assess risks, involve suppliers, follow up on incidents and capture evidence properly.

Policy and governance
NIS2 requires clear responsibilities, management involvement and policies that fit your organisation’s risks and activities.
Appropriate security measures
Your organisation must take technical and organisational measures to reduce cyber risks and better prevent, detect and manage incidents.
Risk assessment and follow-up
It is not enough to identify risks once. You need to assess risks, prioritise them, follow up on measures and be able to show what is still open.
Supplier and supply chain management
NIS2 also requires attention to suppliers and supply chain partners. You need insight into relevant risks outside your own organisation and must actively follow up where needed.
Incident processes and reporting obligations
Organisations must be able to detect, assess, follow up on and, where necessary, correctly report incidents in time. This requires clear processes and responsibilities.
Evidence and audit readiness
You need to be able to substantiate which measures are in place, how risks are managed and which actions have been completed. Without proper evidence, preparing for audits and controls quickly becomes unnecessarily expensive and chaotic.
 
How SpySecure helps

From implementing NIS2 measures to audit readiness and certification

SpySecure® helps you with more than structure and evidence. We support the full compliance process: from insight and setup to audit and certification preparation, together with specialised audit partners.

1
Insight and structure
We map out what NIS2 means for your organisation and which requirements, risks, measures and suppliers are relevant. We then set up Compliance Manager so that evidence, actions, owners and progress come together centrally and clearly.
Result
  • Clear insight into relevant NIS2 requirements
  • One central environment for evidence and follow-up
  • Control over risks, open points and ownership
2
Build measures and evidence
We help you organise the required organisational and technical measures, involve suppliers and capture evidence correctly. Where possible, we also use evidence from your security layers, so measures are not only implemented, but remain current and well substantiated.
Result
  • Measures and evidence logically connected
  • Better preparation for assessments and customer questions
  • Less manual searching and less duplicate work
3
Prepare for audit and certification
We guide you towards audit and certification, keeping the process manageable and cost-efficient. We can also work with partner auditors, so you are not only working on compliance, but actively moving towards a successful audit and certification.
Result
  • Tighter and less chaotic audit preparation
  • Lower risk of delays, remediation work and extra audit costs
  • More focused route towards certification with audit partners
FAQ

Frequently asked questions about NIS2

? What exactly is NIS2?
NIS stands for Network and Information Security. NIS2 is the second European directive in this area and the successor to NIS1. The regulation sets stricter requirements for the digital resilience of organisations and is not only about technology, but also about governance, risks, suppliers, incidents and evidence.
? When will NIS2 apply in the Netherlands?
In the Netherlands, NIS2 will be implemented through the Cybersecurity Act. The intended effective date is 1 July 2026. This will legally embed, among other things, the duty of care, reporting obligation and registration obligation.
? Does NIS2 apply to my organisation?
That depends on your sector, size and role. Some organisations fall directly under NIS2. But even if you do not fall directly under NIS2, you may still need to meet the same or similar requirements in practice, because your customers may impose those requirements on their full supplier chain.
? Why is NIS2 relevant for almost every supplier?
Because organisations under NIS2 must manage supply chain risks. In practice, this means they will set requirements for all relevant suppliers. Not only for a few technical parties, but for every supplier that is important for continuity, processes, data, service delivery or security of supply. As a result, companies that do not fall directly under NIS2 may still face NIS2 requirements, questionnaires, audits and evidence requests.
? What does NIS2 mean for management and boards?
NIS2 explicitly places responsibility higher in the organisation. Management and boards must approve cybersecurity measures, supervise implementation and follow appropriate training. NIS2 also explicitly states that management can be held liable for infringements by the organisation. This is therefore not something you can fully delegate to IT or security alone.
? Is NIS2 only about technical measures?
No. Technical measures are important, but NIS2 also requires governance, policies, risk assessment, supplier management, incident processes, training and evidence. It is precisely this combination that makes the process complex for many organisations.
? Why does audit preparation under NIS2 often become expensive and chaotic?
Because many organisations start too late and have evidence, policies, actions and supplier information stored in fragmented places. Too much time is then lost searching, aligning and remediating. Without a central structure, audits or external assessments quickly become unnecessarily heavy and costly.
? Does SpySecure also help with audit and certification?
Yes. SpySecure helps you implement measures, organise evidence and prepare for audit and certification. We also work with partner auditors and have made more favourable agreements on pricing, so you can often move towards audit and certification faster and more cost-efficiently.
? Should we wait until 1 July 2026?
No. Precisely because preparation requires a lot of work, starting early is sensible. If you start on time, you can build up measures, supplier questions, evidence and internal responsibilities in a much more manageable way and avoid unnecessary pressure, delays and extra costs later in the process.
Tip: click a question to open the answer.
 
Get started

Start your NIS2 preparation on time

Plan a demo or advisory call and discover how SpySecure® helps you implement NIS2 measures, organise evidence centrally and work towards audit and certification in a controlled way.

Plan a demo or advisory call
 
Tip: use the comments field to mention whether you fall directly under NIS2, whether you mainly receive questions from customers, or whether you are looking for support with measures, evidence, audit or certification.
Build the right foundation for NIS2
 
Compliance Manager
Organise NIS2 requirements, evidence, actions, employees, suppliers and audit preparation centrally in one clear environment.
View solution →
Managed Security packages
Implement important security layers for devices, e-mail, cloud, identities, backups and employees as a technical foundation for NIS2.
View packages →
Many organisations combine Compliance Manager with appropriate security measures to work towards audit and certification faster and more cost-efficiently.