NIS2 is the EU directive transposed into national law requiring essential and important entities to manage cyber risk with board accountability, incident notification, and supply-chain assurance — for many Dutch B2B suppliers it is as commercially visible as ISO 27001.
NIS2 does not replace ISO 27001 — organisations often combine them: ISO supplies PDCA structure and certifiable evidence; NIS2 adds legal duties on leadership and reporting timelines you must map explicitly.
What does this mean?
In-scope organisations must embed governance, risk management, incident handling, business continuity, supply-chain security, and secure development practices proportionate to risk — exact articles vary by member state implementation.
Board accountability is explicit — leadership must approve cyber risk measures and may face liability for negligence in some jurisdictions. Incident notification deadlines apply to significant incidents — know your national authority and timelines.
Supply chain: assess critical suppliers, contract security clauses, monitor where feasible — overlaps ISO vendor management but NIS2 is legal, not optional certification.
Registration and supervision depend on sector and size — confirm whether you are essential, important, or outside scope with legal counsel.
Who is this for?
Board and executives owning NIS2 governance; CISOs implementing measures; compliance mapping NIS2 to existing ISMS; MSPs and SaaS vendors in customer chains asked for NIS2 assurance.
SMEs may be outside direct scope but still face contractual NIS2-style questionnaires from banks and energy customers.
What steps or requirements apply?
Determine scope with legal: entity classification, sectors, thresholds. Gap analysis against NIS2 measures and existing ISO documentation.
Single risk register with NIS2 tags — avoid duplicate silos. Update incident playbooks with notification decision trees and authority contacts.
Vendor tiering with criticality and review evidence. Board minutes showing cyber risk decisions — not security-only slides.
Exercise incident scenario including chain impact and notification drill.
Common mistakes
Assuming ISO certificate alone satisfies NIS2 — notification and board duties remain. No supply-chain register. Incident playbook without legal review of thresholds.
Copy-paste policy without operational proof. Ignoring SME contractual pass-through from larger in-scope customers.
Practical action plan
Month 1: scope determination; month 2: gap vs ISMS; month 3: remediation plan and board briefing. Link ISO 27001, ISMS, vendors.
Quarterly board cyber item with decisions logged. Align with audit preparation rhythms for evidence discipline.
Relationship with ISO 27001, NIS2, GDPR or ISMS
ISO 27001 structure supports many NIS2 measures — tag overlaps in SoA. GDPR intersects on incidents involving personal data.
ISMS is the operational home; NIS2 is legal overlay — one story for supervisors and customers.
National transposition details vary — confirm Dutch Cyberbeveiligingswet obligations with counsel, not blog posts alone.
Essential vs important entity duties differ in supervision intensity — classification drives budget.
Subcontractor flow-down: if you serve in-scope customers, their contract security schedules may reference NIS2 articles explicitly.
Board training records on cyber risk — evidence supervisors expect alongside policies.
Cooperation with CSIRT/National authority: contact details in incident playbook, tested annually.
Map NIS2 measures to ISO SoA rows in management review — explicit mapping beats assumption.
Significant incident threshold decision tree signed by legal — notification timing depends on classification.
Supply chain tiering criteria documented — why vendor X is critical vs commodity SaaS.
Business continuity for critical services aligned with NIS2 resilience expectations — test results archived.
Security in acquisition due diligence when buying companies — NIS2 governance extends to integration.
Incident significance threshold decision tree co-signed by legal — notification timing depends on classification under national law.
Board cyber training attendance records — supervisors expect evidence beyond policy PDF on governance.
Supply-chain tiering workshop output archived — why vendor A is critical and vendor B is commodity must be explainable to supervisors.
Map Cyberbeveiligingswet articles to ISO SoA rows in management review slides — explicit mapping beats assuming certificate covers law.
Governance evidence pack: board minutes referencing cyber risk, approved budget lines, assigned executive owner, and date of last briefing — supervisors ask for board attention, not only CISO slides.
Incident notification drill includes legal, comms, and DPO when personal data involved — dual track for NIS2 authority and GDPR AP within respective deadlines.
Supply-chain register tiering workshop output stored with criteria — why identity provider is tier 1 and office supplies vendor is tier 3 must survive staff turnover and auditor interviews.
Penetration test and vulnerability programme evidence mapped to NIS2 risk management measures — supervisors and ISO auditors both sample remediation closure with dates.
Document which measures are legal minimum versus voluntary best practice — helps board prioritise spend under supervision.
Align incident playbooks with both NIS2 authority and GDPR AP contact details on single escalation card for on-call.
NIS2 adds board accountability and incident notification timelines — map which measures are legal minimum versus voluntary uplift so management review shows conscious choices.
Supply-chain risk under NIS2 overlaps ISO 27001 supplier controls — one register tagged for both frameworks avoids duplicate questionnaires to the same SaaS vendors.
Incident playbooks should align NIS2 authority notification with GDPR Article 33 where personal data is involved — dual escalation paths documented prevent deadline misses.
Essential versus important entity classification drives supervision intensity — document your classification rationale and review when revenue or sector codes change.
Management bodies must approve cyber risk measures under NIS2 — minutes showing board decisions on investment and acceptance satisfy governance evidence ISO auditors also value.
Pen-test and vulnerability management evidence supports both NIS2 proportionality arguments and ISO Annex A — store once, cite in both contexts.
Register of essential and important services under Dutch transposition — review when product mix or customer sectors change to avoid wrong supervision assumptions.
Cyber hygiene training records for management bodies — NIS2 expects directors to understand risk; attendance logs support governance interviews.
Dutch transposition may classify your SaaS customer base differently than ISO scope — document legal classification review separately from certificate scope statement.
Business continuity and crisis communication plans referenced in NIS2 map to ISO A.5.29 and A.5.30 — single tested plan cited in both contexts saves exercise budget.
Security contact reachable 24/7 for incident escalation — NIS2 and customer contracts expect published contact; ISO incident process should use same channel.
Annual report to management body on cyber measures — NIS2 governance evidence doubles as ISO management review input when structured once.
Map NIS2 incident severity tiers to ISO incident classification — one taxonomy avoids duplicate playbooks and missed deadlines.
Identify single accountable executive for cyber risk reporting — NIS2 and ISO both expect named leadership, not anonymous ‘management’.
Practice cross-border incident notification when customers and data span EU member states — playbook timing differs from single-country GDPR-only view.
Contractual flow-down to critical suppliers for security clauses — NIS2 chain expectations mirror ISO A.5.19 but auditors and supervisors ask for signed evidence.
Joint ISO-NIS2 gap workshop once per year — single attendee list and minutes satisfy overlapping governance evidence for both frameworks.
Record regulator and sector supervisor contacts in incident playbook — wrong authority notification wastes critical hours after breach.
Align NIS2 training records with ISO awareness programme — one attendance log cited for both reduces duplicate LMS spend.