Does NIS2 apply to my organization?

NIS2 applies to essential and important entities across 18 sectors operating in the EU. Essential entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities include postal services, waste management, manufacturing of critical products, food, chemicals, and digital services. Size thresholds also apply: medium-sized companies (50 or more employees or over €10M turnover) in covered sectors generally fall in scope. We can confirm applicability by reviewing your sector, size, and role in the supply chain.

What does NIS2 incident reporting require in practice?

NIS2 Article 23 requires a three-stage process. Within 24 hours of awareness: an early warning to your national CSIRT or competent authority confirming the incident and whether a cyberattack is suspected. Within 72 hours: a formal incident notification with severity assessment, affected systems, and estimated impact. Within one month: a final report including root cause, measures taken, and any cross-border implications. We help you build the processes and documentation structures to meet all three deadlines.

Is management personally liable under NIS2?

Yes. NIS2 Article 20 holds management bodies directly accountable for cybersecurity compliance. Board members must approve the organization's cybersecurity risk management measures and actively oversee their implementation. In cases of serious violations, national authorities can temporarily prohibit specific individuals from exercising management functions. This makes NIS2 compliance a board-level obligation, not only an IT responsibility.

Which authority supervises NIS2 compliance in Belgium and the Netherlands?

In Belgium, the Centre for Cybersecurity Belgium (CCB) is the national competent authority for most sectors under NIS2. In the Netherlands, the NCSC (Nationaal Cyber Security Centrum) coordinates national oversight, but sector-specific supervisors also have authority: for example, DNB for financial institutions and the RDI for digital infrastructure. We track which authority applies to your specific sector and help you align your compliance documentation accordingly.

How long does it take to become NIS2 compliant?

For most organizations, a first NIS2 readiness trajectory takes between 4 and 12 weeks, depending on your current security maturity, the scope of your organization, and the complexity of your supply chain. This covers gap analysis, policy development, technical controls implementation, and incident response planning. Organizations that already have ISO 27001 or an equivalent framework in place typically move faster because foundational documentation exists.

Compliance

NIS2 Compliance

NIS2 is the EU directive that requires essential and important organizations across 18 sectors to implement structured cybersecurity measures, report incidents within 72 hours, and prove their security works in practice.

Navigate the EU's updated cybersecurity directive with confidence. We help you achieve and maintain NIS2 compliance through practical, risk-based security measures.

NIS2 Quick Compliance Check Consultancy Services

NIS2 Directive Overview

ScopeEU-WIDE

Sectors

€10M

Max Fine

Applies to essential and important entities across critical infrastructure sectors

Key NIS2 Requirements

Risk Management

Implement clear and structured measures to identify, assess, and manage cyber risks across your organisation.

Incident Reporting

Report significant security incidents to the relevant authorities within the required 24 to 72-hour timeframe.

Supply Chain Security

Identify and manage cybersecurity risks introduced by suppliers, service providers, and partners.

Continuous Monitoring

Continuously monitor systems and environments to detect threats and suspicious activity in a timely manner.

Access Control

Enforce strong authentication and manage user accounts, roles, and access rights properly.

Documentation

Maintain clear policies, procedures, and evidence to demonstrate compliance and support audits.

Management is personally accountable under NIS2

NIS2 Article 20 is one of the most significant changes from its predecessor. Cybersecurity is no longer delegable to IT alone.

Management must approve and oversee

Article 20 of NIS2 (Directive EU 2022/2555) requires management bodies to approve cybersecurity risk management measures and actively oversee their implementation. Delegating cybersecurity entirely to IT without board-level involvement no longer satisfies the directive.

Personal liability for board members

Management bodies can be held personally liable for non-compliance with NIS2 obligations. National supervisory authorities have the power to temporarily prohibit individuals from exercising management functions in cases of serious violations. This applies to directors and board members directly.

Security training for management is required

Article 20 also requires that management body members receive sufficient training in cybersecurity risk management. The intent is that boards make informed decisions about security investments and priorities based on genuine understanding, not just high-level briefings.

Fines and enforcement: Article 34

NIS2 Article 34 introduces a two-tier fine structure tied to your entity classification. Both thresholds are significantly higher than NIS1.

Essential entities

Administrative fines up to €10 million or 2% of global annual turnover, whichever is higher. Essential entities are subject to proactive supervision including regular audits, security assessments, and on-site inspections. Non-compliance can trigger enforcement before an incident occurs.

Important entities

Administrative fines up to €7 million or 1.4% of global annual turnover, whichever is higher. Important entities are subject to reactive supervision: oversight is triggered after a complaint or evidence of non-compliance rather than proactively.

Incident reporting: three deadlines, not one

NIS2 Article 23 introduces a structured three-stage notification process. Each stage has a different purpose and a different audience.

Within 24 hours: early warning

As soon as you become aware of a significant incident, send an early warning to your national CSIRT or competent authority. You confirm the incident occurred, note whether a cyberattack is suspected, and flag any cross-border impact. The purpose is to allow authorities to assist or take protective action.

Within 72 hours: incident notification

Within 72 hours of becoming aware, submit a more complete incident notification. This includes an initial assessment of severity, affected systems or services, and an estimate of the number of affected users. If your first notification already contained this detail, you update it.

Within 1 month: final report

Within one month of the incident notification, a full report is required. This must include a description of the incident, its root cause, the measures taken and planned, and an assessment of any cross-border impact. This report determines regulatory follow-up.

How We Help

NIS2 gap analysis and readiness assessment

Security policy development and documentation

Technical controls implementation

Incident response planning

Supply chain risk assessment

Management reporting and board presentations

Penetration Testing RedSOC PtaaS Platform

Complete

NIS2 compliance program

4-12

Weeks to readiness

100%

Audit support

Frequently Asked Questions

Start your NIS2 compliance journey

Get a gap analysis and roadmap to compliance.

NIS2 Quick Compliance Check Contact Us