Ga naar inhoud

NIS2 ·

NIS2 in 2026: what essential and important entities must demonstrate now

May 2026 update. The European NIS2 Directive is now embedded in Dutch national law. For many operators in essential and important sectors, the question is no longer whether to act, but how fast they can prove controls work — for supervisors, customers and their own board.

What changed in the Netherlands?

In-scope organisations must embed board accountability, report incidents within deadlines, assess supply-chain risk and align measures with current threats. Customers in energy, healthcare, logistics and IT services often ask for the same themes contractually.

  • embed board-level accountability and governance for cyber risk;
  • report incidents within applicable deadlines;
  • assess supply-chain risk (vendors, SaaS, outsourcers);
  • align measures with current threats — not paper-only compliance.

Three evidence questions for 2026

  1. Who owns it? Not only the CISO — line management and the board need mandate.
  2. What is in scope? Services, sites, systems and suppliers tied to the management system.
  3. How do you prove operation? Logs, tests, change decisions, exercises — version control and dates matter.

Link with ISO 27001

Many teams combine NIS2 with ISO 27001 certification. ISO 27001 gives structure; NIS2 sharpens board and chain duties. Use one risk register and tag what is NIS2-specific.

Practical steps

  • Gap analysis against NIS2 and existing ISO/ISMS documentation.
  • Prioritise vendors — start with identity, backup and monitoring.
  • Connect to readiness overview and NIS2 hub.

In 2026 supply-chain partners increasingly assess NIS2 governance alongside ISO 27001 evidence. Document which controls satisfy both frameworks and where NIS2 adds board and notification duties. That prevents debate during surveillance and speeds questionnaire responses.

Run quarterly reviews with line management on open chain risks and incident lessons. Tie board decisions on acceptance and investment to management review so auditors and supervisors see the same story as your customers.

Expand incident playbooks with notification timelines and board escalation. Exercise annually with a chain-impact scenario. Record lessons in the improvement register and link them to risk treatment in the SoA.

Communication to chain partners

NIS2 expectations also arrive via vendors and customers: security questionnaires, contract clauses and audit rights. Keep answers consistent with your risk register and management review — chain partners compare documents over time.

Invest in clear scope communication: which services, sites and systems fall under the management system? Unclear scope fuels debate with supervisors and certification.

Publish an internal NIS2 scope one-pager: which entity, which services, who reports incidents. External parties increasingly ask for that clarity before contract signing. Update the one-pager when scope or chain changes significantly.

Board and supply chain in one rhythm

NIS2 makes cybersecurity a board duty — not an IT project updated once a year. Plan quarterly conversations where leadership explicitly weighs scope, open chain risks and investment. Record decisions in management review; supervisors and large customers increasingly ask for those minutes or a summary.

For vendors in vital chains: your customers must explain how you fit their NIS2 scope. Send a proactive security one-pager with certification, incident contact and scope — that speeds procurement and avoids last-minute surveys.

Combine NIS2 gap analysis with ISO 27001 planning: duplicate workshops waste time. One risk register tagged NIS2/ISO saves months and keeps auditors and supervisors on one story.

For essential and important entities: explicitly document which services fall under NIS2 and which vendors you treat as critical. Update that list at least quarterly or after major contract changes. Chain partners use the same list in due diligence — inconsistency between questionnaire and reality is a common 2026 issue.

Consider a tabletop with leadership walking through a fictional chain incident: notification, communication, recovery, lessons learned. Record outcomes in the same incident register you use for ISO 27001.

Next steps in your ISMS

Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.

Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.

Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.

What to do this week

Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.

Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.

Deep dive in the knowledge base

Run the NIS2 readiness scan

Align NIS2 expectations with your existing management system.

Start NIS2 scan

← Back to overview