24 March 2026 • NIS2
An ISO 27001 certification is a badge of honor that shows how much your organization cares for the management of sensitive information. But it’s far from the only framework demanding attention in 2026.
The NIS2 directive (also referred to as NIS-2 or NIS 2.0) requires organizations across 18 sectors to implement robust cyber security measures, including security awareness training for all employees.
But understanding exactly what NIS2 demands, and how the Dutch Cyberbeveiligingswet (Cwb) translates it into national law, can be overwhelming.
In this guide, we break down everything you need to know: what NIS2 is, who it applies to, the complete NIS2 checklist for 2026, and how to make your organization audit-ready.
What is the NIS2 directive?
The NIS2 directive (Directive (EU) 2022/2555) is the European Union’s updated framework for network and information security. It replaced the original NIS directive (NIS1) from 2016, which was the EU’s first piece of cybersecurity legislation.
NIS2 entered into force on 16 January 2023, and EU member states were required to transpose it into national law by 17 October 2024. However, most member states, including the Netherlands, missed this deadline.
The directive aims to achieve a high common level of cyber security across the EU by requiring organizations in critical sectors to:
- Implement risk-based cyber security measures
- Report significant incidents to authorities within strict timelines
- Ensure management bodies are trained and accountable
- Provide regular awareness training to all employees
- Manage supply chain security risks
An estimated 160,000 entities across the EU fall under NIS2’s scope. That’s a tenfold increase compared to NIS1.
NIS2 vs NIS1: what changed?
The original NIS directive was a solid starting point, but it had significant gaps. NIS2 addresses these across the board. Here’s a quick summary of the most important changes:
| Aspect | NIS1 | NIS2 |
|---|---|---|
| Sectors covered | 7 sectors | 18 sectors |
| Entities in scope | ~15,000 | ~160,000 |
| Incident reporting | No specific timeline | 24h / 72h / 1 month |
| Penalties | Determined per member state | Up to €10M or 2% of turnover |
| Management liability | Not addressed | Personal liability for gross negligence |
| Supply chain | Not explicitly required | Mandatory risk management |
| Management training | Not required | Mandatory for board and C-suite |
Want to dive deeper into the differences? Read our full comparison: What is the difference between NIS1 and NIS2?
NIS2 legislation in Europe
NIS2 is an EU directive, which means it doesn’t apply directly to organizations. Each member state must transpose it into national law. Here’s where things stand in 2026.
Implementation status across the EU
Implementation progress varies significantly. Countries like Belgium, Croatia, and Italy were among the first to adopt national legislation. Others, including the Netherlands and Germany, took longer.
The European Commission opened infringement proceedings against 23 member states for missing the October 2024 transposition deadline. By May 2025, 19 member states had received formal legal warnings (reasoned opinions). As of early 2026, around 16 countries have fully transposed NIS2 into national law.
The January 2026 EU cybersecurity package
On 20 January 2026, the European Commission published a proposal to amend the NIS2 directive as part of a broader cybersecurity package. The key changes include:
- Simplified jurisdictional rules for organizations operating across multiple EU countries
- Certification-based compliance pathways, allowing organizations to demonstrate compliance through recognized certifications
- Enhanced ransomware reporting with more detailed incident data requirements
- Expanded scope to include providers of European Digital Identity Wallets and submarine data infrastructure
- Reclassification of roughly 22,500 entities to lower the compliance burden for smaller organizations
- A strengthened role for ENISA in coordinating cross-border supervision
These amendments are expected to be negotiated throughout 2026, with a 12-month transposition period after adoption.
NIS2 in the Netherlands: the Cyberbeveiligingswet (Cwb)
In the Netherlands, the NIS2 directive is being transposed into the Cyberbeveiligingswet (Cwb). This law replaces the current Wbni (Wet beveiliging netwerk- en informatiesystemen).
Current status (March 2026)
- The bill was submitted to the Tweede Kamer on 4 June 2025
- A plenary debate was scheduled for 23 March 2026
- After the Tweede Kamer, the bill must still pass through the Eerste Kamer
- The government aims for the law to enter into force in Q2 2026
Three regulatory components
The Dutch implementation consists of three layers:
- The Cyberbeveiligingswet, which is the primary law implementing NIS2
- The Cyberbeveiligingsbesluit (AMvB), a General Administrative Order defining specific obligations
- Sector-specific ministerial regulations with tailored requirements per sector
Key Dutch obligations
Organizations falling under the Cyberbeveiligingswet must comply with four core obligations:
- Zorgplicht (duty of care): implement appropriate technical and organizational measures to manage cyber security risks
- Registratieplicht (registration duty): register with the designated supervisory authority for your sector
- Trainingsplicht voor bestuurders (management training obligation): board members and management must undergo cyber security training
- Meldplicht (incident reporting obligation): report significant incidents to the NCSC within the prescribed timelines
Supervisory authorities
The NCSC (Nationaal Cyber Security Centrum) serves as the primary coordinating body. Sector-specific supervisory authorities are designated through ministerial regulations.
For organizations in the healthcare sector, the regulatory landscape is particularly complex, combining NIS2 requirements with existing healthcare-specific regulations around patient data protection.
Who does NIS2 apply to?
NIS2 applies to organizations based on two criteria: sector and size.
Essential entities (highly critical sectors)
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Healthcare (hospitals, laboratories, medical device manufacturers, pharmacies)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDNs)
- ICT service management (managed service providers, managed security service providers)
- Public administration
- Space
Important entities (other critical sectors)
- Postal and courier services
- Waste management
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Food production, processing, and distribution
- Chemical production and distribution
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research organizations
Size thresholds
Organizations in these sectors are in scope if they meet the following size criteria:
- Medium enterprises: 50+ employees or €10 million+ annual turnover
- Large enterprises: 250+ employees or €50 million+ annual turnover
Some entities are in scope regardless of size, including DNS providers, TLD registries, and (under the proposed 2026 amendments) providers of European Digital Identity Wallets.
The supervision difference
Essential entities are subject to proactive supervision, meaning regular audits and inspections, combined with higher penalties. Important entities face reactive supervision: investigations only happen after incidents or reports of non-compliance, and penalties are lower.
NIS2 checklist (2026)
Use this comprehensive checklist to verify your organization meets all NIS2 requirements. This goes beyond just awareness training and covers the full spectrum of NIS2 obligations to help you prepare for compliance and audits.
1. Governance and management accountability
- Management body has formally approved the organization’s cybersecurity risk management measures
- Board members and C-suite have completed cyber security training
- A designated person or team is responsible for NIS2 compliance (e.g., CISO, compliance officer)
- Cybersecurity is a standing agenda item in board and management meetings
- Management is aware of their personal liability for non-compliance
- Budget is allocated for cybersecurity measures and training
- Cybersecurity governance structure is documented and communicated
2. Risk management and security measures
NIS2 Article 21 requires organizations to implement appropriate and proportionate measures. Your checklist should include:
- A formal risk assessment has been conducted and is reviewed regularly
- Risk management policies are documented, approved, and communicated
- Technical measures are in place: firewalls, intrusion detection, encryption, access controls
- Organizational measures are in place: policies, procedures, roles and responsibilities
- Business continuity and disaster recovery plans exist and are tested
- Backup and restoration procedures are documented and tested regularly
- Network segmentation is implemented where appropriate
- Multi-factor authentication (MFA) is deployed for critical systems and remote access
- Vulnerability management program is in place (regular scanning, patching)
- Secure development practices are followed for in-house software
3. Incident reporting and response
- An incident response plan is documented and tested
- Incident classification criteria are defined (what constitutes a “significant incident”)
- The 24-hour early warning process is established and staff know how to trigger it
- The 72-hour incident notification procedure is documented
- The 1-month final report template and process are in place
- Contact details for the national CSIRT (e.g., NCSC in the Netherlands) are readily available
- Incident response roles are assigned and team members are trained
- Post-incident reviews are conducted and lessons learned are documented
- Incident response is tested through tabletop exercises at least annually
4. Supply chain security
- An inventory of critical suppliers and service providers exists
- Cybersecurity requirements are included in contracts with suppliers
- Suppliers are assessed for their cybersecurity posture (due diligence)
- Risks from third-party dependencies are identified and mitigated
- A process exists for monitoring and reviewing supplier security over time
- Incident notification clauses are included in supplier agreements
- Critical suppliers’ access to your systems is monitored and controlled
5. Security awareness training
- All employees receive regular security awareness training
- Management and board members receive dedicated cyber security training
- Training is ongoing, not just a one-time event (monthly or weekly recommended)
- Training content covers phishing, social engineering, password security, data handling, and incident reporting
- Training covers sector-specific threats relevant to your industry
- New employees receive awareness training during onboarding
- Contractors and third-party personnel with access receive appropriate training
- Phishing simulations are conducted regularly to test employee readiness
- Training completion rates and assessment scores are tracked
- Training content is updated based on the latest threat intelligence
- Evidence of training completion is stored for compliance audits
6. Registration and notification
- Your organization has determined whether it qualifies as an essential or important entity
- Registration with the designated supervisory authority is completed (or planned for when the law enters into force)
- Contact details for incident reporting (CSIRT/supervisory authority) are up to date
- Notification procedures are documented and assigned to specific roles
- Your organization’s NIS2 scope documentation is maintained (which systems, services, and processes are covered)
7. Information security policies and documentation
- Information security policy is documented and approved by management
- Acceptable use policy is in place and communicated to all employees
- Access control policy defines who has access to what systems and data
- Data classification and handling procedures are documented
- Password policy meets current best practices (complexity, MFA, no reuse)
- Remote work and BYOD policies are in place
- Physical security measures are documented for facilities housing critical systems
- Cryptographic controls and encryption policies are documented
- All policies are reviewed and updated at least annually
8. Monitoring, auditing, and continuous improvement
- Security monitoring is in place (log management, SIEM, alerting)
- Regular security audits or assessments are conducted (internal or external)
- Penetration testing is performed at least annually
- KPIs for cybersecurity are defined and reported to management
- Findings from audits and incidents lead to documented corrective actions
- The cybersecurity program is reviewed and improved annually
- Threat intelligence is monitored and incorporated into security measures
- Compliance with NIS2 requirements is reviewed before each audit cycle
The one NIS2 requirement you can tick off this week
Awareness training is where most plans stall. Guardey turns it into short, gamified challenges, with the reporting built in. Try it free for 14 days, no payment details needed.
Start your free trialNIS2 certification
A common question: is there an official NIS2 certification? The short answer is no, not yet.
Unlike ISO 27001, which has a well-established certification process, NIS2 is a legal requirement enforced through national supervisory authorities. There is no single “NIS2 certified” badge you can obtain.
However, there are important developments.
Certification-based compliance (proposed in 2026)
The European Commission’s January 2026 cybersecurity package proposes certification-based compliance pathways. This means organizations holding certain recognized certifications may be able to demonstrate NIS2 compliance, or at least partial compliance, through these certifications.
ISO 27001 as a foundation
ISO 27001 is widely recognized as the closest existing standard to NIS2 requirements. Organizations with ISO 27001 certification will find that many NIS2 requirements are already covered. However, NIS2 has additional requirements that go beyond ISO 27001, including:
- Specific incident reporting timelines (24h, 72h, 1 month)
- Management liability and mandatory board-level training
- Supply chain security assessments
- Sector-specific requirements
NIS2 quality marks and readiness assessments
Several third-party organizations offer NIS2 readiness assessments, maturity scans, or quality marks. While these are not official certifications, they can help organizations benchmark their compliance and demonstrate their commitment to stakeholders.
NIS2 and security awareness training
Security awareness training is one of the most explicit requirements in the NIS2 directive. Article 20 states that management bodies must undergo training and that organizations should offer similar training to their employees on a regular basis.
Why NIS2 emphasizes awareness training
The numbers make it clear. According to the ENISA Threat Landscape 2025 report:
- Phishing accounts for 60% of all intrusion access points
- Over 80% of social engineering attacks now leverage AI-generated content
- 53.7% of cyber incidents targeted organizations classified as essential entities under NIS2
- Public administration alone accounted for 38.2% of targeted attacks
The human factor remains the number one vulnerability. Without trained employees who can recognize and report threats, even the most sophisticated technical defenses can be bypassed.
What NIS2 expects from your awareness training program
- Regular training, not once a year. Ongoing, regular training is expected.
- Management participation. Board members and C-suite must participate.
- Relevance. Training must cover current and emerging threats, including AI-powered attacks.
- Evidence. You must be able to demonstrate that training is taking place and is effective.
- Coverage. All employees with access to systems and data, including contractors.
How Guardey helps you meet NIS2 awareness requirements
With Guardey, your employees take on weekly cyber security challenges that take no more than three minutes to complete. Topics include phishing recognition, password security, data handling, social engineering, and more, all aligned with NIS2 requirements.
The gamified approach ensures high engagement and completion rates. And through Guardey’s reporting dashboard, you can demonstrate compliance to auditors with evidence of:
- Training completion rates per employee and department
- Assessment scores and knowledge trends
- Phishing simulation results and improvement over time
- Topic coverage aligned with NIS2 requirements
Common mistakes in NIS2 compliance
Many organizations underestimate the effort required for NIS2 compliance. Here are the pitfalls we see most often.
1. Waiting for the law to pass before taking action
The NIS2 directive has been in force since January 2023. Even though the Dutch Cyberbeveiligingswet is still in the legislative process, the requirements are clear. Organizations that wait until the law is officially enacted will find themselves scrambling to comply. Start now.
2. Treating NIS2 as an IT-only problem
NIS2 explicitly requires management accountability. This is not something you can delegate entirely to your IT department. Board members must be trained, must approve cybersecurity measures, and can be held personally liable.
3. Ignoring supply chain requirements
Many organizations focus on their own security but overlook their suppliers. NIS2 requires you to assess and manage the cybersecurity risks in your entire supply chain.
4. Annual awareness training only
A single yearly training session does not meet the “regular” training requirement. Auditors expect to see ongoing engagement: monthly micro-learnings, regular phishing simulations, and continuous measurement.
5. Not knowing whether NIS2 applies to you
Surprisingly, many organizations haven’t even assessed whether they fall under NIS2’s scope. Don’t assume you’re excluded. Check the sector and size criteria carefully.
6. No incident response testing
Having an incident response plan on paper is not enough. NIS2 expects you to test it. Conduct tabletop exercises, simulate incidents, and ensure your team can meet the 24-hour early warning deadline.
7. Missing the registration requirement
Under the Cyberbeveiligingswet, organizations must register with their designated supervisory authority. This is easy to overlook but mandatory.
NIS2 vs ISO 27001 vs DORA: how do they compare?
Many organizations need to comply with multiple frameworks. Here’s how NIS2 compares to ISO 27001 and DORA (Digital Operational Resilience Act).
| Requirement | NIS2 | ISO 27001 | DORA |
|---|---|---|---|
| Type | EU Directive (legal requirement) | International standard (voluntary) | EU Regulation (legal requirement) |
| Scope | 18 sectors, essential and important entities | Any organization (by choice) | Financial sector only |
| Awareness training mandatory? | Yes (Article 20) | Yes (Clause 7.3, A.6.3) | Yes (Article 13) |
| Management training required? | Yes (mandatory, board-level) | Required (clause 5.1) | Yes (mandatory, board-level) |
| Incident reporting timeline | 24h / 72h / 1 month | Not specified (define your own) | 4h / 72h (major ICT incidents) |
| Supply chain security | Mandatory | A.5.19-A.5.22 (supplier controls) | Mandatory (ICT third-party risk) |
| Penalties | Up to €10M or 2% of turnover | Loss of certification | Up to €10M or 2% of turnover |
| Certification available? | Not yet (proposed in 2026) | Yes (accredited certification bodies) | Not yet |
| Personal liability for management? | Yes | No | Yes |
The good news: organizations with ISO 27001 certification have a strong head start on NIS2 compliance. The risk management approach, documentation requirements, and awareness training obligations overlap significantly.
Frequently asked questions about the NIS2 directive
What does NIS2 stand for?
NIS2 stands for the Network and Information Security Directive 2. It is also commonly written as NIS-2 or NIS 2.0. It is the second version of the EU’s cybersecurity directive, replacing the original NIS directive from 2016.
When does NIS2 come into force in the Netherlands?
The Dutch implementation of NIS2, the Cyberbeveiligingswet, is expected to enter into force in Q2 2026. The bill was submitted to the Tweede Kamer on 4 June 2025 and is currently progressing through parliament.
Is security awareness training mandatory under NIS2?
Yes. Article 20 of the NIS2 directive explicitly requires management bodies to undergo cybersecurity training and to offer similar training to employees on a regular basis. This makes awareness training a legal obligation, not optional.
Does NIS2 apply to SMEs?
It can. Organizations with 50 or more employees or €10 million or more in annual turnover operating in one of the 18 covered sectors are in scope. Some entities are included regardless of size (e.g., DNS providers, TLD registries).
What are the penalties for NIS2 non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover. Important entities face up to €7 million or 1.4% of global turnover. Additionally, management can be held personally liable.
Can I get NIS2 certified?
Not currently. There is no official NIS2 certification. However, the European Commission’s 2026 cybersecurity package proposes certification-based compliance pathways. ISO 27001 certification covers many NIS2 requirements and is recognized by auditors as a strong foundation.
How is NIS2 different from GDPR?
GDPR focuses on protecting personal data. NIS2 focuses on the security of network and information systems more broadly. They are complementary: NIS2 measures help protect the systems that process personal data, supporting GDPR compliance as well.
What is the relationship between NIS2 and the Cyberbeveiligingswet?
The Cyberbeveiligingswet is the Dutch national law that implements the EU NIS2 directive. It translates the directive’s requirements into enforceable Dutch legislation, replacing the previous Wbni (Wet beveiliging netwerk- en informatiesystemen).
Start preparing for NIS2 compliance today
NIS2 is not a future concern. The directive is in force, the requirements are clear, and enforcement is coming. Organizations that start now will be in the strongest position when auditors come knocking.
With Guardey Security Awareness Training, your employees receive 3-minute weekly micro-learnings covering phishing, data handling, incident reporting, and more. All aligned with NIS2 requirements, with full reporting for compliance audits.
Meet the NIS2 training requirement, and prove it
Guardey trains every employee in minutes a week and documents it automatically, so you always have the evidence ready. See it live in a demo.
Schedule a demo