There’s a lot of noise around NIS2. One person hears it’s becoming mandatory, another that it only affects large companies. Both are a little true. Below, in plain language, what it is, who it applies to, and where you begin, without the scaremongering.
What is NIS2, briefly?
NIS2 is a European directive for digital security, translated in the Netherlands into the Cybersecurity Act (Cyberbeveiligingswet). The aim is simple: businesses that matter to society have to get their digital resilience in order and be able to prove it. The law was adopted in 2026 and is expected to take effect around 15 August 2026.
Who does it apply to?
Roughly two groups:
- Directly: medium and large organisations (from around 50 employees or more than 10 million euros in revenue) in designated, important sectors.
- Indirectly: many smaller businesses that don’t fall under the law themselves, but supply an organisation that does. Because that large customer has to get its supply chain in order too, and passes those requirements down.
That second group is easily forgotten, while in practice it involves a great many SMEs. Even if the law doesn’t apply to you directly, your biggest customer may still ask you for provable security.
What does the law ask, roughly?
Without lapsing into legal language, it comes down to a handful of healthy basic measures: knowing the risks you run, keeping your access and systems in order, multi-factor authentication, tested backups, making your people aware, and a plan for when something goes wrong. Each one a thing you’d want anyway.
Where do you begin?
Not with a thick policy document, but with clarity. Knowing where you stand now immediately shows what still needs doing. Our free security scan touches the themes that NIS2 covers too, and with MIRA we record it in a measurable, provable way, exactly what a customer or regulator wants to see.
This is the short version. Want the full story, with the obligations and the timeline? Read the in-depth page NIS2 for SMEs.
A few questions we often get
Do I fall under NIS2?
That depends on your sector and your size. If you don’t fall under it directly, you can still be affected via a customer who passes the requirements down. Not sure? Then we’ll take a look with you in an intro call.
What happens if I do nothing?
For businesses that fall under it directly, that can lead to obligations and fines. But even without that, “doing nothing” is rarely wise: the measures protect your business and are increasingly asked for by customers and insurers.
Do we have to overhaul everything for this?
Usually not. Often you’ve already arranged part of it and it’s about the finishing touches. So we start by mapping what’s there, so you work in a targeted way instead of all at once.
Curious how you stand? Take the free security scan for a first picture, or book an intro call, and we’ll look together whether and how NIS2 affects you.