Overview of NIS2 and the Situation in the Netherlands
In recent years, large language models such as ChatGPT have become widely available to the public, rapidly transforming our surrounding environment. At the same time, the frequency and sophistication of cyberattacks, as well as potential financial losses of such incidents, have been increasing, underscoring the growing importance of cybersecurity. In response, EU Member States are collaborating to strengthen overall cybersecurity across Europe.This article outlines the main updates of the NIS2 Directive, including the expansion of its scope, key provisions, and sanctions. Organizations are encouraged to verify whether they fall under the directive’s scope and to prioritize compliance measures considering stricter obligations and potential penalties.
Background of the NIS Directive Amendment
The first NIS Directive (NIS1), adopted in 2016, represented the EU’s first attempt to help achieve a higher level of cybersecurity for network and information systems across Member States. While NIS1 improved cybersecurity capabilities, implementation and standards varied among countries. In response to the rapid digital transformation and the increasing threat of cyberattacks, the European Commission proposed the NIS2 directive is the successor to the first NIS directive with more robust security requirements. The directive aims to broaden the scope of covered entities, impose mandatory security measures, and raise Europe’s overall cybersecurity standards.Scope of NIS2
Entities falling under Annex I and II sectors are subject to NIS2 if they meet the following criteria:- Important Entities: Medium-sized organization with at least 50 employees or an annual turnover or balance sheet total over €10 million.
- Essential Entities: Large organization with more than 250 employees or net turnover of over €50 million and balance sheet total of more than €43 million.
Small and Medium-Sized Enterprises (SMEs)operating in critical sectors
The Dutch government provides a self-assessment tool to check whether an organization falls under the NIS2 scope: Rijksoverheid NIS2 Tool
Key Provisions of NIS2
- Duty of Care: Entities must conduct risk assessments and take measures to guarantee continuation of services as much as possible and protect the information used.
- Duty to report: Incidents that (can) significantly disrupt the provision of the essential services must be reported to the supervising authority within 24 hours. Cyber incidents must also be reported to the Cyber Security Incident Response Team (CSIRT). The determination of reportable incidents depends on factors such as the number of people affected by the disruption, the duration of the disruption, and the potential financial losses.
- Supervision: Organizations covered by the NIS2 directive are subject to supervision to look at compliance with the obligations of the directive, such as the duty of care and the duty to report. It is currently being worked out which sectors will fall under which supervisory body.
Implementation Timeline
In the Netherlands, the new law is expected to come into effect in Q2 2026, pending approval by both the lower and upper houses of Parliament (Tweede en Eerste Kamer).Sanctions
NIS2 establishes minimum sanctions as follows:
- Important Entities: Up to €7 million or 1.4% of total worldwide turnover, whichever is higher.
- Essential Entities: Up to €10 million or 2% of total worldwide turnover, whichever is higher.
Disclaimer: This article is based on a summary and analysis of the source document(s) referenced herein. In the event of any conflict or discrepancy between the contents of this article and the original source document(s), the original source document(s) shall govern and take precedence.
Source: Business.gov.nl – Amendment of NIS2 Directive
Source: Directive (EU) 2022/2555
If you have any questions or inquiries regarding this news article, please contact us via our contact page.
Contact | ID Europe B.V. (idnet.co.jp)