May 2026 update. The European NIS2 Directive is now embedded in Dutch national law. For many operators in essential and important sectors, the question is no longer whether to act, but how fast they can prove controls work — for supervisors, customers and their own board.
What changed in the Netherlands?
In-scope organisations must, among other things:
- embed board-level accountability and governance for cyber risk;
- report incidents within applicable deadlines;
- assess supply-chain risk (vendors, SaaS, outsourcers);
- align measures with current threats — not paper-only compliance.
Three evidence questions for 2026
- Who owns it? Not only the CISO — line management and the board need mandate.
- What is in scope? Services, sites, systems and suppliers tied to the management system.
- How do you prove operation? Logs, tests, change decisions, exercises — version control and dates matter.
Link with ISO 27001
Many teams combine NIS2 with ISO 27001 certification. ISO 27001 gives structure (risk, SoA, audit); NIS2 sharpens board and chain duties. A certificate does not replace NIS2 supervision, and vice versa.
Practical steps this month
- Run a gap analysis against NIS2 and existing ISO/ISMS documentation.
- Prioritise vendors by impact — start with identity, backup and monitoring.
- Tabletop your incident notification path (who calls whom, within which hours).
- Connect results to your readiness overview so leadership sees one picture.
Note: This article is educational, not legal advice for your sector.