NIS2 Directive: What does it mean for your organization?

December 21, 2023
share via
Reading time:

NIS2 Directive: What does it mean for your organization?

What will the NIS2 directive mean for your organisation?

The Network and Information Security Directive (NIS2 directive) were adopted by the European Union at the end of 2022. It aims to strengthen the digital and economic resilience of European member states and focuses on digital (cyber) risks to network and information systems, such as the internet and payments. The law is expected to come into force at the end of 2024, and organisations covered by the NIS2 directive will have to comply with the duty of care and duty of notification from then on.It is therefore essential that organisations prepare in time. This blog explains when and why your organisation will fall under this law and offers a roadmap to comply with the new requirements.

Does your organisation fall under the NIS2 regulations?

The number of sectors has expanded under the new directive compared to the first NIS directive. Below is an overview:

Energy, Digital providers, Transport, Postal and courier services, Infrastructure financial market, Waste management, Healthcare, Food, Drinking water, Chemicals, Digital infrastructure, Research, Wastewater, Manufacturing/manufacturing, Government services, Aerospace, Managers of ICT Services, Banking.

If your organisation operates in any of the above sectors and can be characterised as an 'essential' or 'significant' entity, then your organisation will automatically fall under the new NIS2 regulations. Organisations designated as a critical entity under the CER directive are automatically an essential entity under the NIS2 directive.

Essential entities

Big organisations operating in a sector listed in Annex I of the NIS2 Directive (see table)An organisation is large based on the following criteria: a minimum of 250 employees or an annual turnover of more than €50 million and a balance sheet total of more than €43 million.

Significant entity

Size organisations operating in an Annex I sector and medium and large organisations operating in an Annex II sector.

An organisation is medium-sized based on the following criteria: minimum 50 employees or, an annual turnover and balance sheet total of more than 10 million euros. Or do the self-assessment prepared by the central government - NIS2 Self-assessment NL

Why start preparing now?

The complexity of the NIS2 regulations requires thorough preparation. Early compliance not only safeguards your organisation's security, but also prevents potential sanctions and strengthens customer and stakeholder confidence in your digital security.

NIS2 regulations, what steps should I take?

To properly prepare your organisation, you can consider at least the following steps:

Conduct a risk analysis of the digital threats that could disrupt your organisation's services.

• Which digital risks are relevant to your organisation because they could disrupt the continuity of services?

• What are the organisation's crown jewels or interests to be protected?

• What measures has your organisation (already) taken to protect the interests from the risks?

Where possible, take measures that (better) protect your organisation against these risks.

• Establish business continuity plans and crisis management protocols.

• Identify alternative suppliers.

• Raise awareness among staff.

Have procedures in place that enable your organisation to detect, monitor, resolve and report incidents that (may) disrupt business processes.

Organisations soon to be covered by the legislation are required to report incidents to the sectoral CSIRT and the regulator. A central reporting facility will be set up for this purpose. Factors that make an incident notifiable include, for example, the duration of an incident or the number of people affected by the incident. The requirements of this duty to report can be anchored in an incident response plan, for example. DeepBlue has extensive experience in rigging various processes and protocols where the input of our experience can be of great significance. Check our website for more information


The NIS2 regulations represent an important new standard in cybersecurity legislation. By taking action now, your organisation can make a smooth and effective transition to these new standards, putting you at the forefront of digital security. Don't be surprised by NIS2; start preparing today.

Link to NIS2 directive (NL translation):

For advice or more information, we invite you to contact us at:

Contact: +31 (0)70-800 2025

Or read more at: DeepBlue Security & Intelligence