The NIS2 directive is coming. It will be implemented in the Netherlands in the form of the Cyber Security Act. It focuses on risks that threaten network and information systems, such as cyber security risks. This is European legislation aimed at increasing the general level of resilience of all companies in the EU. What exactly can companies expect and what preparations can be made in advance to avoid surprises? We asked Patrick Spelt, Head of Cybersecurity Supervision at the Ministry of Infrastructure and the Environment and Transport Inspectorate (ILT).
Spelt has been working for nearly two years on implementing, implementing and monitoring legislation around cybersecurity. "The deadline expires this fall, but the Netherlands is not going to meet it because of the complexity of implementation. It is so complicated because multiple ministries and parties are involved."
"The law is expected to take effect during the third quarter of 2025. However, it is very important for companies to get started right away! After all, the risks organizations face are already there. And in countries such as Belgium, the law has already taken effect, so the transportation sector that works across borders already has to deal with it. Moreover, many companies are encountering these rules for the first time, as current legislation only affects providers of essential services. Consider also that if your company does not have to comply with the regulations, you may be working with organizations that do and therefore have to start imposing requirements on their supply chain partners."
Spelt recommends starting with the NIS2 Self Assessment. This online questionnaire answers the question whether your organization falls under the NIS2 guideline and is characterized as 'essential' or 'important'. If this is the case, you can use the online Quickscan NIS2 guideline. This provides an overview of the current status of your cyber security in accordance with the scope of the European NIS2 Directive.
If a company immediately falls under the law, there are three obligations: duty of registration, duty of notification and duty of care. "The duty to register means you have to make yourself known to the government, in this case to the National Cyber Security Center. That is not possible at this time, because the portal is still under development. Once you are registered, you are entitled to incident support and your data will be forwarded to the regulator. The duty to report means that you must report as soon as a cybersecurity incident occurs within your organization. On the one hand so that you can get support, on the other hand by doing so you automatically make a report to the regulator."
If your organization falls into the 'essential' category, you will be proactively visited by the ILT. In the "important" category, supervision takes place after the fact, i.e., only after a cybersecurity incident has occurred. "Suppose we visit you for an inspection and find that sufficient measures have been taken, but a cybercriminal was still able to get through your security, we will investigate how this could happen. That way we can improve the quality, both of the companies and the inspection."
Of course, the archetypal Dutch question cannot fail to arise: what will it all cost the companies? Spelt replies, "I'll ask a counter question: what will it cost if your company goes under? I always advise people to talk to Henny de Haas, for example, read his book or listen to his podcasts. He owns Hoppenbrouwers, one of the largest installation companies. His company survived a global ransomware attack in part because he happened to have purchased an extremely expensive backup system just before that time. That money paid back threefold because he was back up and running within two days thanks in part to his backup. So in terms of investment, these are the considerations companies have to make. I'm sure all warehouses have a thick lock on the door. You would expect the same on digital doors. If you don't, then it's a bit like securing all your doors at home but leaving the back door wide open and that's asking for trouble."
To deal with this issue efficiently, it is good to know that there are all kinds of initiatives, including cyber resilience networks. If you join such partnerships, you can get help and advice, as well as act together. Industry associations such as TLN, also offer the necessary support.
"You don't have to be afraid of the regulator, and we're really not going to hand out fines right away. We have an intervention strategy and use fines particularly for companies that really don't want to comply with the rules. Suppose during an inspection things turn out not to be in order, you first get the time to solve them. Above all, we benefit from companies understanding what is required and getting on with it. After all, that really contributes to resilience."
Incidentally, one may also have to deal with other inspection services, such as the National Digital Infrastructure Inspectorate. "Inspection services work together in this, so one does not have to deal with two inspections working alongside each other."
Spelt ends with a final tip in terms of fulfilling the duty of care: "Our inspection frameworks are based on industry frameworks. So my tip is: get started with ISO 27001 and 2, the NEN or the NIST Cybersecurity Framework. That's never a waste of money, because we are going to use the same frameworks, after all."