Compliance with the European NIS2 directive becomes mandatory this year, but is management aware of this?

'When the premises go on the deadbolt, the digital gate is often left wide open.' - Johan Traa, partner Finance & Technology.

Adobe Stock 203552766

According to the Dutch security services, our country is under serious threat from cyber criminals from countries such as China, Russia and Iran. The European directive NIS2, designed to create a barrier against this, is slowly seeping into Dutch boardrooms. Even though compliance with it will soon be mandatory, there is the threat of high fines for damages due to negligence. Recent research shows that many boards still need to begin preparations. They are waiting for the government to send a warning letter. But there won't be one. It is the responsibility of the companies concerned. They must ensure that the physical office premises are locked and locked. People don't seem to see the danger until things have already gone wrong, and they hear the newscaster tell them, with redness on their cheeks, that thanks to their negligence, business continuity, customer privacy or even the country has been put at risk.

Management would do well to put cybersecurity high on the boardroom agenda. Usually, formal responsibility for this lies with the C(R)FO and the CISO. However, if something goes wrong, the impact can be so significant that it affects the entire organization. In the event of an incident, all departments must be able to take measures quickly to ensure business continuity, so all hands must be on deck.

What is NIS2?

As of December 2022, there is a stringent European cybersecurity directive: Network and Information Security 2 (NIS2). This directive focuses on risks that threaten networks and information systems and can disrupt the economy and society. NIS2 must be incorporated into national legislation by the end of 2024. It is known that from China and Russia, among others, covert attempts are being made to map our critical infrastructure. A brief inventory of the threats tells us that Europe, particularly the Netherlands, is highly vulnerable as a digital hub. For this reason, the critical sectors covered by NIS2 have been expanded considerably. These include organizations involved in energy, transportation, banking, infrastructure, financial markets, healthcare, drinking water, digital infrastructures, wastewater, government services, space and management of ICT services.

Increasing threats from abroad

According to the Dutch security services AIVD, MIVD, and NCTV, the threat from countries such as Russia and China is increasing at lightning speed. The Netherlands is an attractive target because of its underground energy pipelines, advanced digital infrastructure, and high-quality company knowledge. The threat mainly targets companies where high-quality technology can be found.
Security services warn of increasing threats to the Netherlands' economic security, especially to vulnerable vital processes. Interference from other countries, especially Russia, threatens social and political stability. The war in Ukraine is seen as a tipping point in the relationship between Russia and the Netherlands, with the Russian military intelligence agency GRU hacking routers in the Netherlands.
There is a significant and immediate threat from countries with cyber-attack programmes, including China, Russia, Iran, and North Korea. Cyber attacks have the potential to result in the theft of valuable information, disruption of critical infrastructure, and severe economic damage. The persistent use of zero days and supply-chain attacks is a continuing concern, and the threat of cyber attacks is rated as high, demanding our immediate attention.

Disrupting society

Three types of cybersecurity risks are data theft, ransomware attacks, and hacks that disrupt society. NIS2 was created primarily to mitigate risks from the latter category. NIS2 prescribes three obligations:

  • Conducting a risk assessment and, based on this, taking appropriate protective measures (duty of care).
  • Incidents must be reported to the supervisor within 24 hours (duty to report).
  • Duty to be monitored by the regulator for compliance with previous requirements (supervision).

Who for?

Companies are supposed to investigate for themselves whether the directive applies to them. This is based on whether the company operates in the crucial sectors covered by NIS2 and the relative size of the company. The government is not involved in designating the companies concerned. A danger lurks here: often, management expects the government to send a notification (and, in case of non-compliance, a first and a second warning). So that is emphatically not the case here, although the government has facilitated a self-assessment: NIS2 Self-assessment NL.

Hefty fines

Hefty fines can be handed out in case of negligence. If an "essential entity" is involved, a fine of up to 10 million euros or two per cent of total global turnover applies. If classified as a "significant entity," a fine of up to seven million euros or 1.4 per cent of total global turnover applies. In addition, there is personal, and in exceptional cases even criminal, liability for board members if they are found to have breached their obligations under the directive.

The physical door is locked, but then why is the digital gate open?

In an ideal world, the NIS2 directive should not be needed. Not just because there would be no (cyber) crime but also because management would take digital security more seriously. Why spend large sums of money to guard the physical premises when anyone with a bit of understanding of hacking can walk into the digital gate without any problems? Cybersecurity should not be a matter of rules and laws but of awareness and proactive action. After all, it is about protecting the integrity of the business and the trust of customers. If it doesn't kill it already, it can take years for a company to get over a severe cyber-attack, not to mention the horror scenario where the management has to call its customers to inform them that their data has been stolen.


The following measures should be placed directly on the boardroom agenda:

  • Board and management awareness of cybersecurity and the impact of NIS2 on their business;
  • Risk analysis and drafting of protective measures;
  • Drafting a business continuity plan and crisis management protocols;
  • Identifying alternative supply chains and scenario planning.

The matter involves many concerns, all of which need to be addressed by different specialists. Therefore, it is advisable not to tackle it independently. To keep the necessary steps comprehensible in the boardroom and maintain control, it is best to engage a management consultancy firm. They speak the board's language and can help understand and mitigate the risks. This agency can take a director's role in this and direct specialists who master the various elements of cybersecurity.

Crisis exercise

Regular crisis drills can ensure that everyone knows how to act in case of an emergency. Acting quickly is essential to prevent worse. It also helps to identify any gaps in the script.

Although management has ultimate responsibility, it is very important that everyone in the organisation is aware of the risks of cyber attacks. Good compliance with security protocols has a tangible impact on the entire business. You can have made your systems watertight, but cybercriminals often try to get in by exploiting human weaknesses and inattention—'social engineering,' it is called. This must be stressed more often.

Everyone in the organisation must see digital security measures not just as a legal obligation but as a necessary means to ensure business continuity and reputation in an increasingly digital world.