Q&A: NIS2 in plain language. All your questions answered

Roos Dijkxhoorn

1. What exactly is the purpose of NIS 2?

The main purpose is to increase digital security throughout Europe. Because companies are increasingly interconnected, a hack at one company can have major consequences for others. The Act ensures that we all meet the same security requirements, so that our society (think of electricity, water and food) does not simply grind to a halt.

2. Is the law only intended for large companies?

No, certainly not. The law mainly looks at how important your sector is to society. Companies in sectors such as healthcare, energy, transport and food are covered by it. Smaller companies may also be affected by the law if they are an indispensable link in the chain of a larger company.

3. What is my responsibility as a director or manager?

Under this law, cybersecurity is no longer just an “IT issue”. As a director, you are responsible for the digital health of your organisation. You must approve security plans and be aware of the biggest risks. The law also states that directors must undergo training to fully understand these risks.

4. What should I do if a digital incident occurs?

You have a duty to report it. If there is a serious incident, you must report it within 24 hours via the NCSC (National Cyber Security Centre) portal. They will ensure that it is forwarded to the CSIRT (Computer Security Incident Response Team) and the supervisory authority designated for your organisation. This is important because the government can then help you and warn other companies of the same danger in good time.

5. We already have ISO 27001 certification. Does that mean we're all set?

Not quite, but you do have a huge head start! With such certification, you often already comply with a large part of your duty of care. However, the new law also requires specific reports to the government and an even closer look at the security of your suppliers.

6. Where can I start today?

The first step is to find out whether your company is officially covered by the law. You can do this using the tools on digitaleoverheid.nl. If you are covered by the law, you must register via the NCSC portal. After that, it is wise to carry out a risk analysis: where are our weak spots and which partners do we rely on most?

Do you require assistance with this? Please view our NIS2 services.

Security questions? 
We have answers.

Whether you're wondering about compliance requirements, investigating suspicious activity, or just want to know if you're doing enough, we're here to help. No sales pitch, just straight answers from security professionals who've been there.