Directly
Medium and large organisations (from around 50 employees or more than 10 million euros in revenue) in designated, important sectors fall under it directly. They face a duty of care, a reporting duty and supervision.
NIS2
The new cyber rules sound complicated, but the core is simple: knowing where you stand and being able to prove your IT is in order. We explain what it is, who it applies to and where to begin.
Free · about 5 minutes · an instant, personal picture of where you stand.
NIS2 is a European directive for digital security, translated in the Netherlands into the Cybersecurity Act. The thinking behind it is simple: businesses that matter to society have to get their digital resilience in order, and be able to show it. So it is not about one technical trick, but about having provable control over your risks.
Not every business falls under it directly. But "not direct" does not mean "no concern", because the rules ripple through the whole chain.
Medium and large organisations (from around 50 employees or more than 10 million euros in revenue) in designated, important sectors fall under it directly. They face a duty of care, a reporting duty and supervision.
If you do not fall under it yourself, you can still be affected through your customers. Because an organisation that does fall under NIS2 has to get its suppliers in order too, and passes those requirements down. That is how it touches a large group of SMEs indirectly.
In practice this is what we see most often: your biggest customer suddenly asks whether your security is provably in order. That is the moment you want it sorted, not afterwards.
Take the scanWithout lapsing into legal language, it comes down to a handful of healthy basic measures. Each one a thing you would want anyway:
The nice part: these are exactly the things that make your IT safer and calmer anyway. NIS2 or not.
You don’t have to panic about this, nor write a policy document straight away. The first step is knowing where you stand now. Our free security scan touches the themes NIS2 covers too, and with MIRA we record it in a measurable, provable way, exactly what a customer or regulator wants to see.
This is an explanation in plain language, not legal advice. Whether and how NIS2 applies to you exactly depends on your situation, which we are happy to discuss honestly.
No legal jargon, just honest answers to what we hear most often.
That depends on your sector and your size. From around 50 employees or 10 million euros in revenue in a designated sector you probably fall under it directly. Below that, you can still be affected through a customer who passes the requirements down. Not sure? Then we will take a look with you in an intro call.
The Cybersecurity Act was adopted in 2026 and is expected to take effect around 15 August 2026. Starting now gives you time to get it in order calmly rather than under pressure.
For businesses that fall under it directly, that can lead to obligations and fines. But even without that, waiting is rarely wise: the measures protect your business and are increasingly asked for by customers and insurers.
Usually not. Often you have already arranged part of it and it is about the finishing touches. So we start by mapping what is there, so you work in a targeted way instead of all at once.
Our free scan touches the themes NIS2 covers too, so you quickly know where you stand. Not sure whether NIS2 applies to you? In a no-strings intro call we’ll take a look with you.
Free and no-strings, no sales pitch.