Ga naar inhoud

NIS2 ·

Dutch Cybersecurity Act and SMEs: overlap with NIS2 without duplicate work

Update 2026. The Dutch Cybersecurity Act implements NIS2 nationally. SMEs ask: are we in scope, and must we duplicate everything alongside ISO 27001?

Scoping without panic

Not every SME is an essential entity. Yet customers in vital supply chains often ask for the same proof: governance, incident reporting, vendor management, logging.

  • sector and turnover/service — formal scope under national law;
  • contractual demands from largest customers (often stricter than law);
  • overlap with an existing ISMS or ISO programme.

One register, two frameworks

Avoid parallel spreadsheets for NIS2, national law and ISO. Use one risk register, one incident process and one vendor register tagged per framework.

Practical first steps

  1. Gap analysis against NIS2 and national cybersecurity law.
  2. Assign board-level ownership — CISO alone is insufficient.
  3. Deep dive: ISO 27001 vs NIS2.

In 2026 overlap between national law, NIS2 and ISO 27001 is the core question for many SMEs. Build a mapping matrix: which control covers which legal duty, which evidence you deliver once and where extra documentation is needed for board or notification duties.

Contractual demands from vital customers can exceed formal law scope. Prioritise those customers in gap analysis and record in management review which investments cover both.

Plan an incident notification tabletop with 24-hour and 72-hour scenarios. National law and GDPR can apply together — document who decides on authority and data subject notification.

Practical for SMEs in the chain

Many SMEs are formally outside essential entity status but supply vital sectors. Contractual security demands then lead: ask customers which evidence they expect and map it on one ISMS instead of separate NIS2 and ISO folders.

Board involvement need not mean a new committee — a fixed management review agenda item on cyber risk, chain and open actions suffices. CISO presents; board decides on acceptance and investment.

Exercise incident notification with scenarios where GDPR and national law apply together. Record who leads, which deadlines apply and when external counsel is engaged.

Use existing ISO 27001 documentation as the base for gap analysis against national law. Many controls overlap; the difference is mainly governance, chain and notification — tag that in your register instead of rewriting everything.

Partner with industry associations or chain peers for shared templates — gap analysis need not be solo. Many SME suppliers get the same questionnaires; one good mapping saves the whole chain time.

Formal scope versus contractual pressure

Your formal national law scope may be narrower than what customers contractually require. Prioritise gap analysis on largest customers and sectors where you are a visible chain partner. Management review must state which investments cover both.

Partner with industry associations or chain peers for shared templates — gap analysis need not be solo. One good mapping saves the whole chain time on questionnaires.

Train project leads that major changes (new SaaS, outsourcing) can affect scope and risk — trigger the same checklist as ISO 27001 scope changes.

Next steps in your ISMS

Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.

Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.

Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.

What to do this week

Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.

Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Deep dive in the knowledge base

Run the NIS2 readiness scan

Align NIS2 expectations with your existing management system.

Start NIS2 scan

← Back to overview