#nis2
# NIS 2 Explained
for FortMesa webinar June 2025: "The State of EU Cyber Compliance: NIS2 Explained"
## Goal of NIS2

The ultimate goal behind NIS-2 is to significantly raise the baseline level of cybersecurity and resilience across the European Union, especially for critical infrastructure and essential services[^9_1][^9_5][^9_6]. NIS-2 aims to:

- Establish a unified, high standard of cybersecurity for network and information systems in key sectors across all EU member states[^9_1][^9_2][^9_6].
- Ensure organizations implement robust risk management, incident response, and business continuity measures to prevent, detect, and minimize the impact of cyber incidents[^9_5][^9_6].
- Promote consistency by harmonizing security requirements, reporting obligations, and enforcement across the EU, addressing previous fragmentation and gaps[^9_1][^9_4][^9_6].
- Strengthen cooperation and information sharing among member states for a coordinated response to cross-border cyber threats[^9_1][^9_5][^9_6].

In essence, NIS-2 is designed to protect the EU’s economy and society by making its digital infrastructure more secure, resilient, and better prepared for evolving cyber threats[^9_1][^9_5][^9_6].

GDPR is about protecting citizens against the misuse of personal data, therefore, in terms of information security, more about confidentiality of data. Protecting privacy was the goal, information security management almost a side show.
NIS 2 is all about resilience of critical infrastructure, under threat of cybercrime (also by state actors), and has a broader focus in terms of information security: the complete information security package. 

## History and Current Status

**Origins and NIS1 Directive (2016):**

- The original Network and Information Security Directive (NIS1), adopted in 2016 (Directive 2016/1148), was the EU’s first comprehensive cybersecurity law, aiming to establish a high common level of cybersecurity across Member States[^15_3][^15_8][^15_10].
- NIS1 targeted critical sectors like energy, transport, healthcare, finance, water, and digital infrastructure, requiring essential service providers and digital service providers to take security measures and report incidents[^15_1][^15_8].
- Despite these advances, NIS1 faced challenges: its scope was too narrow, enforcement and implementation were inconsistent across Member States, and definitions were sometimes unclear, leading to fragmentation and gaps in protection[^15_3][^15_6][^15_10].

**Growing Need for Reform:**
- As digitalization accelerated and cyber threats became more frequent and sophisticated, it became clear by 2020 that the EU needed a stronger, more harmonized approach to cybersecurity[^15_3][^15_6][^15_8].
- The European Commission launched a review and consultation on NIS reform in July 2020, leading to a proposal for an updated directive—NIS2—in December 2020[^15_5][^15_9].

**Development and Adoption of NIS2:**
- The legislative process included negotiations between the European Parliament, Council, and Commission throughout 2021 and early 2022[^15_3][^15_9].
- A provisional agreement on NIS2 was reached in May 2022, with formal adoption by the Parliament and Council in November 2022[^15_3][^15_9].
- NIS2 was published in the Official Journal on December 27, 2022, and entered into force on January 16, 2023[^15_5][^15_8][^15_9].

**Transition and Implementation Timeline for NIS2:**
- Member States were given 21 months, until October 17, 2024, to transpose NIS2 into national law[^15_3][^15_5][^15_8].
- NIS2 expands the scope to more sectors, introduces stricter supervisory and enforcement measures, harmonizes sanctions, and places greater emphasis on supply chain security and top management responsibility[^15_1][^15_2][^15_6].

**Summary Table: NIS1 vs. NIS2**

| Aspect       | NIS1 (2016)                        | NIS2 (2023)                         |
| :----------- | :--------------------------------- | :---------------------------------- |
| Scope        | Limited sectors, fewer entities    | Expanded sectors and more entities  |
| Enforcement  | Inconsistent across Member States  | Stronger, harmonized supervision    |
| Management   | Limited focus on top management    | Clear top management responsibility |
| Reporting    | Less stringent, varied obligations | Stricter, harmonized reporting      |
| Supply Chain | Not specifically addressed         | Explicitly included                 |

NIS2 aims to address all the shortcomings of its predecessor by broadening coverage, clarifying obligations, and enforcing higher cybersecurity standards EU-wide[^15_1][^15_3][^15_6].

#### Why Was the NIS 1 Scope Considered Too Narrow?

- **Limited Sectors:** NIS 1 only applied to seven key sectors considered vital to the economy and society, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare, and digital infrastructure[^16_1][^16_2][^16_5].
- **Member State Discretion:** Each EU Member State had the responsibility to identify which organizations qualified as operators of essential services (OES), resulting in inconsistent application and gaps in coverage across the EU[^16_1][^16_6].
- **Exclusions:** Some critical digital infrastructures and services, such as certain telecommunications and public administration entities, were not covered[^16_4][^16_7].
- **Light Regulation for Digital Service Providers:** Digital service providers (like cloud services and online marketplaces) were subject to lighter, less comprehensive requirements[^16_1][^16_4].

#### How Has the Scope Broadened in NIS 2?

- **More Sectors Covered:** NIS 2 expands the scope to include additional sectors and sub-sectors crucial to the economy and society, such as waste management, postal and courier services, food production, manufacturing of critical products, and more digital services[^16_1][^16_2][^16_5][^16_6].
- **Size-Cap Rule:** All medium-sized and large entities in the covered sectors are automatically in scope, removing the need for Member States to individually designate operators[^16_1][^16_6].
- **Public Administration:** NIS 2 now applies to central government public administration entities, and Member States can extend this to regional and local levels[^16_1].
- **Supply Chain Focus:** Entities essential to the supply chain of critical infrastructures are now included[^16_2].
- **Unified Requirements:** The distinction between “essential service operators” and “digital service providers” is eliminated; all covered entities face similar obligations[^16_5][^16_6].

**In summary:** NIS 1 was considered too narrow because it left critical gaps due to sector limitations, inconsistent national implementation, and exclusions. NIS 2 addresses these gaps by broadening the scope to more sectors, applying clear criteria (like the size-cap), and harmonizing requirements across the EU[^16_1][^16_2][^16_5][^16_6].

### Current state as of May 2025
The NIS-2 directive should have been transposed into national legislation by October 17, 2024.

The Netherlands did not meet this deadline[^1_2][^1_4][^1_5][^1_6]. The national law implementing NIS-2, the Cybersecurity Act (Cbw), is now not expected to enter into force until the second or third quarter of 2025[^1_2][^1_4][^1_5][^1_7]. Until then, the current Network and Information Systems Security Act (Wbni) still applies to the organizations concerned[^1_4][^1_5]. Organizations that will fall under the new law do not yet have any legal obligations from NIS-2, but they can voluntarily prepare and register[^1_3][^1_4].

The implementation of the NIS-2 directive is also delayed in other countries, including France and Germany.

**France**

France has not yet fully transposed the NIS-2 directive into national legislation. The bill (“Loi relatif à la résilience des infrastructures critiques”) was submitted to the Senate in October 2024. The law is expected to be adopted in the course of the second half of 2025. France is taking a broad approach to implementation and is adding extra sectors and local authorities to the scope. The national cybersecurity authority ANSSI will play a central role in supervision and enforcement[^2_3][^2_5].

**Germany**

In Germany, the bill for NIS-2 was approved in July 2024, but its parliamentary processing was delayed. Enforcement was expected to start from March 2025. Germany, unlike France, has not brought local authorities under the NIS-2 legislation[^2_3].

In short: both France and Germany have not yet fully transposed the NIS-2 directive and, as of May 2025, are still in the legislative process, each with its own emphasis and delays[^2_2][^2_3][^2_5].

## What kind of organizations are targeted by NIS-2?

NIS-2 targets a wide range of organizations that are critical to the functioning of society and the economy. Specifically, it applies to:

- **Medium-sized and large organizations** (generally with at least 50 employees or €10 million annual turnover) operating in sectors deemed essential or important[^12_2][^12_4][^12_8].
- **Essential sectors** include energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT services management, wastewater, public administration, and space activities[^12_2][^12_8].
- **Important sectors** include digital providers, postal and courier services, waste management, chemicals, food production and distribution, research, and various types of manufacturing[^12_3][^12_8].
- The directive also allows Member States to include smaller organizations if they are considered high-risk or critical for society[^12_5].

In summary, NIS-2 covers both public and private organizations in a broad set of vital and important sectors, focusing on those whose disruption would significantly impact society or the economy[^12_3][^12_7][^12_8].

#### Sectors in Scope under NIS2
NIS2 divides in-scope organizations into two main categories: **Sectors of High Criticality (Essential Sectors)** and **Other Critical Sectors (Important Sectors)**.

**Sectors of High Criticality (Essential Sectors):**
- Energy (including electricity, oil, gas, heating/cooling, hydrogen, EV charging)
- Transport (air, rail, road, water, shipping, ports)
- Banking
- Financial market infrastructure
- Healthcare (providers, labs, pharmaceuticals, medical device manufacturing)
- Drinking water
- Wastewater
- Digital infrastructure (DNS, domain name registries, trust services, data centers, cloud, electronic communications, managed IT/security services)
- ICT service management (business-to-business)
- Public administration (central, regional, and optionally local)
- Space (ground-based infrastructure)[^17_1][^17_2][^17_4][^17_7]

**Other Critical Sectors (Important Sectors):**
- Digital providers (online marketplaces, search engines, social platforms)
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing (medical devices, computers, electronics, optics, machinery, vehicles, other transport equipment)
- Research organizations[^17_1][^17_2][^17_3][^17_4][^17_6][^17_7]

Medium-sized and large organizations in these sectors are required to comply with NIS2 cybersecurity requirements.

#### Geographical Location

- **Jurisdiction:** NIS2 applies to essential and important entities established in an EU/EEA Member State, and they fall under the jurisdiction of the country where they are established or, in some cases, where they provide their services[^18_4][^18_5][^18_6].
- **Multiple Member States:** If an organization provides services in more than one Member State, it must comply with NIS2 requirements in each relevant country[^18_6].
- **Entities Outside the EU:** Non-EU organizations offering services within the EU must designate a representative established in an EU Member State where their services are offered[^18_5].
- **Sector-Specific Rules:** For certain sectors (e.g., digital infrastructure, cloud, DNS, electronic communications), jurisdiction may depend on the location of the main establishment or where services are provided[^18_5].

In summary, an organization’s geographical location determines which Member State’s authorities oversee its compliance, and cross-border or non-EU service providers must ensure they meet NIS2 obligations within the EU market.

#### Can an entity outside the EU offering services within the EU be held accountable?

Yes, non-EU entities offering services within the EU can be held accountable under the NIS2 Directive. The regulation applies extraterritorially, meaning it extends to organizations outside the EU if they provide **essential or important services** to EU markets. Here’s how geographical location factors into accountability:

**Marketplace Principle**:
- NIS2 applies if services are “offered within the EU,” even if the entity lacks a physical presence there. Factors include:
- Using EU languages or currencies (e.g., offering services in German or accepting euros).
- Targeting EU users in marketing materials or service descriptions [^19_7].
**Sector Relevance**: 
- Non-EU entities in sectors like digital infrastructure, healthcare, transport, or energy are particularly impacted if their services are critical to EU operations [^19_6].

In summary, NIS2’s extraterritorial scope ensures that non-EU entities serving EU markets must adhere to its cybersecurity standards, with significant legal and financial consequences for non-compliance.
#### **Requirements for Non-EU Entities**
 

1. **Designate an EU Representative**: Non-EU organizations must appoint a representative in an EU Member State where their services are offered [^19_1][^19_6].
2. **Supply Chain Compliance**: Third-party suppliers (including non-EU partners) must meet NIS2 security standards if they provide critical inputs to EU entities [^19_1][^19_6].
3. **Incident Reporting**: Significant cybersecurity incidents affecting EU services must be reported to national authorities within strict deadlines (e.g., 24-hour “early warning”) [^19_2][^19_6].

## What is expected of these organizations?

### Expectations for Different NIS-2 Stakeholders

**EU Member States**

- Develop and maintain a national cybersecurity strategy with clear objectives and resources[^10_1][^10_3].
- Designate national authorities, Computer Security Incident Response Teams (CSIRTs), and a single point of contact for cross-border and cross-sector cooperation[^10_3].

**National Authorities \& CSIRTs**

- Oversee and enforce compliance among organizations.
- Conduct regular audits, inspections, and request information as part of supervision[^10_3].
- Facilitate incident response and information sharing at national and EU level[^10_3].

**Essential and Important Entities (Organizations)**

- Implement risk management: identify, assess, and mitigate cybersecurity risks across their operations and supply chains[^10_5][^10_7].
- Establish and maintain robust security policies, technical and organizational measures, and incident response plans[^10_7].
- Report significant security incidents to authorities within strict timelines[^10_2][^10_7].
- Ensure business continuity and crisis management capabilities[^10_7].
- Senior management is directly responsible and can be held liable for compliance, including ensuring adequate resources, policies, and monitoring[^10_4][^10_6].

**Supply Chain Partners**

- Organizations must assess and manage cybersecurity risks in their supply chains, considering the security practices of suppliers and service providers[^10_5].

**Critical Entities (under CER Directive)**

- Entities identified as critical must comply with both NIS-2 cybersecurity and physical resilience obligations, with authorities cooperating on both aspects[^10_3].

**Summary Table**

| Stakeholder           | Key Responsibilities under NIS-2                                                  |
| :----------------------- | :-------------------------------------------------------------------------------- |
| Member States            | National strategy, designate authorities/CSIRTs, ensure cross-border cooperation  |
| National Authorities     | Supervision, enforcement, audits, incident coordination                           |
| Essential/Important Orgs | Risk management, security measures, incident reporting, management accountability |
| Supply Chain Partners    | Support supply chain risk management and security                                 |
| Critical Entities        | Comply with both cyber and physical resilience requirements                       |

The directive thus requires coordinated action at national, sectoral, and organizational levels to achieve a high and consistent level of cybersecurity across the EU.

### What is expected/required of the board and management?

For organizations in scope of NIS-2, the board and management have explicit and far-reaching responsibilities:

- **Active Oversight and Approval**: The board must oversee, approve, and regularly review the organization’s cybersecurity risk management measures and policies[^13_1][^13_4][^13_8].
- **Training and Awareness**: Board members and executives are required to follow cybersecurity training to ensure they understand risks and can make informed decisions. They must also ensure regular training for employees[^13_1][^13_4][^13_5][^13_8].
- **Accountability and Liability**: Management is directly accountable for compliance. Serious failures can result in personal liability, administrative fines, and even temporary bans from management roles[^13_1][^13_4][^13_5][^13_7][^13_8].
- **Risk Management**: The board must ensure comprehensive risk assessments, mitigation strategies, and continuous improvement of cybersecurity controls, including supply chain security and incident response[^13_1][^13_3][^13_7][^13_8].
- **Incident Reporting**: Management must ensure processes are in place for prompt reporting of significant incidents, typically within 24 hours for initial notification[^13_1][^13_3][^13_7].
- **Business Continuity**: The board is responsible for ensuring robust business continuity and crisis management plans, including system recovery and emergency procedures[^13_1][^13_7][^13_8].

In summary, NIS-2 makes cybersecurity a core element of corporate governance, requiring boards and management to be knowledgeable, proactive, and fully accountable for digital risk management and compliance.


### What is required of the organization with regard to vendor management?

Organizations in scope of NIS-2 are required to take extensive measures for vendor (third-party) management:

- **Risk Assessment:** Conduct thorough and ongoing risk assessments of all vendors and suppliers, evaluating their cybersecurity posture, incident history, and the criticality of their services[^14_1][^14_2][^14_3][^14_5].
- **Supply Chain Security Policies:** Develop and enforce comprehensive policies for third-party risk management, including clear security requirements, access controls, encryption, and multi-factor authentication throughout the supply chain[^14_2][^14_3][^14_7].
- **Contractual Obligations:** Include enforceable cybersecurity clauses in contracts with vendors—covering compliance, incident reporting, audit rights, and termination for non-compliance[^14_3][^14_4].
- **Continuous Monitoring:** Regularly monitor and audit third-party security practices, update risk assessments, and ensure ongoing compliance with NIS-2 standards[^14_1][^14_2][^14_3].
- **Incident Reporting:** Ensure vendors promptly report cybersecurity incidents and coordinate on incident response and resolution[^14_1][^14_3].
- **Documentation:** Maintain detailed records of vendor assessments, contracts, and compliance audits for regulatory review[^14_1][^14_3].

In summary, NIS-2 requires organizations to proactively manage, monitor, and document third-party risks, making supply chain security an integral part of their cybersecurity strategy.

  
### Local differences

The main differences in emphasis between France and Germany in the implementation of the NIS-2 directive are:

- In France, local authorities explicitly fall under the NIS-2 legislation, whereas this is not the case in Germany[^3_1][^3_3].
- Some countries, including France, are adding extra sectors that fall under the law; Germany is limiting itself more to the strictly necessary sectors[^3_1].
- Germany emphasizes comprehensive risk management, reporting obligations, and registration requirements for "particularly important facilities" and federal administrative bodies[^3_4].
- In Germany, micro-enterprises are largely excluded, while in France, the scope is actually being expanded by including local authorities and additional sectors[^3_1][^3_4].

These differences create a fragmented regulatory landscape within the EU, making it more complex for international organizations to comply with all rules[^3_1].
#### Similarities in Measures

- In both France and Germany, companies under NIS-2 must take appropriate technical and organizational measures to manage cyber risks and prevent incidents[^4_1][^4_5][^4_6].
- Both countries mandate risk management, regular evaluation of security measures, and a reporting obligation for serious security incidents[^4_5][^4_6].
- Supplier and supply chain management is an important component in both countries: companies must also pay attention to the security of their direct suppliers and service providers[^4_6].
- The basic principles are risk-based: the greater the risk, the more stringent the measures must be[^4_6].
#### Differences

- **Scope**: France explicitly includes local authorities and additional sectors in the law, while Germany primarily focuses on critical infrastructures and federal agencies[^4_5].
- **Registration**: In Germany, there is a registration obligation with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) for “particularly important” organizations[^4_5]. In France, the national cybersecurity authority ANSSI has more control.
- **Exemptions**: Micro-enterprises are largely exempt in Germany; France applies a broader scope[^4_5].
- **Enforcement**: Germany is known for strict compliance and enforcement through contractual obligations; in France, the approach is more centrally regulated[^4_6].

In short: the core measures are similar, but the scope, exemptions, and enforcement differ per country, leading to different obligations for companies depending on their country of establishment[^4_5][^4_6].
## International standards and certification
#### Some companies offer NIS-2 certification, or claim to offer NIS-2 certified training. Is there a legal basis for this?

Currently, there is no legal basis for an official “NIS-2 certification” or “NIS-2 certified training.” The NIS-2 Directive and national legislation do require organizations to take appropriate security measures, but there is no government-recognized NIS-2 certificate or official quality mark[^7_6][^7_8].

The European Commission is working on a certification framework, but this is still under development and not currently in force[^7_6]. Companies currently offering NIS-2 certification or training do so based on their own interpretations or existing standards (such as ISO 27001), but these do not have official legal status.

In short: claims about “NIS-2 certification” are currently commercial and not legally recognized.

#### What is already known about that EC certification framework?

Little concrete information is yet known about the official European certification framework for NIS-2. The European Commission is working with ENISA (the EU Agency for Cybersecurity) on the development of such a framework, but this has not yet been finalized and is therefore not yet in force[^8_3].

The NIS-2 Directive itself does not prescribe mandatory certification for companies, but it does give the Commission the possibility to establish technical and methodological requirements for certain sectors and services in the future[^8_5]. This process is still under development.

In summary: there is not yet an official, EU-recognized NIS-2 certification framework; companies therefore cannot yet be certified according to a standard established by the EU. Any commercial “NIS-2 certificates” are currently not legally recognized.

#### NIS-2 Measures and International Standards

In Flemish Belgium, the measures that companies must take for NIS-2 conformity are based on internationally recognized standards such as the NIST processes and ISO 27001/27002[^5_2][^5_6]. Organizations must take risk management measures and align their cybersecurity with generally accepted security principles. For supervision, explicit reference is made to the CyberFundamentals framework (CyFun®) of the CCB (Centre for Cybersecurity Belgium) or an ISO 27001 certification as a control instrument[^5_2][^5_6]. This aligns with the approach of NIST and ISO, where risk management, incident response, continuity planning, and periodic audits are central[^5_6].

#### Do France and Germany also base their NIS-2 measures on international standards? Which ones?

Yes, both France and Germany base their measures for NIS-2 on international standards, particularly ISO 27001/27002. These standards are seen as a good benchmark for meeting NIS-2 requirements[^6_2][^6_6]. In both countries, companies are expected to align their risk management, security measures, and incident response with these internationally recognized frameworks. In practice, alignment with the NIST Cybersecurity Framework is also often sought, although ISO 27001/27002 is most explicitly mentioned in the context of European legislation[^6_2][^6_6].

In short: ISO 27001/27002 are the most important international references, and the NIST framework is also recognized as a best practice for NIS-2 compliance.

## Enforcement and Penalties


- **Fines**: Up to €10 million or 2% of global annual revenue, whichever is higher [^19_1][^19_6].
- **Management Liability**: Executives face personal liability for non-compliance, including potential bans from managerial roles [^19_2][^19_6].
- **Market Access Risks**: Non-compliance may disrupt partnerships with EU businesses or lead to exclusion from EU markets [^19_1][^19_5].
  
### What are the general expectations, as of May 2025, about enforcement of the NIS-2?

As of May 2025, enforcement of the NIS-2 Directive across the EU is marked by significant delays and fragmentation. Although the directive required all Member States to adopt and enforce national laws by October 2024, many—including Germany, France, and the Netherlands—have not yet fully transposed NIS-2 into national legislation[^11_2][^11_5][^11_6]. The European Commission has formally warned 19 Member States for failing to meet the deadline and may escalate to legal action if compliance is not achieved soon[^11_2].

In practice, this means that while the NIS-2 provisions are technically in effect at the EU level, actual enforcement depends on national laws and the readiness of designated authorities[^11_5][^11_6]. In countries where national laws are not yet in force, there is a period of legal uncertainty and limited practical enforcement, though organizations are expected to prepare for compliance[^11_5][^11_6][^11_7]. Once national laws are enacted—expected in the second half of 2025 for many countries—enforcement will become much stricter, with clear duties of care, incident reporting, and potential sanctions for non-compliance[^11_4][^11_5].
 

---
## Research and Footnotes

[Perplexity thread 1](https://www.perplexity.ai/search/fdc03878-e0c8-4528-bf04-b40a5aec593e)
[Perplexity thread 2](https://www.perplexity.ai/search/70b69cfe-ca35-4469-8c55-86fd1fc1d24c)

[^1_1]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^1_2]: https://www.security.nl/posting/862964/Re:+Nederland+voert+NIS2-richtlijn+naar+verwachting+derde+kwartaal+2025+in
[^1_3]: https://www.zlogin.nl/update/nis2-richtlijn-rol-eherkenning/
[^1_4]: https://www.rijksoverheid.nl/actueel/nieuws/2024/10/23/implementatie-nis2-en-cer-in-nederland-vertraagd-wat-betekent-dat-voor-u
[^1_5]: https://penrose.law/informatiebeveiliging_op_orde_nis2_cyberbeveiligingswet/
[^1_6]: https://www.fox-it.com/nl/nis2-een-nieuwe-europese-richtlijn-voor-netwerk-en-informatiebeveiliging/
[^1_7]: https://tweakers.net/nieuws/222522/nederlandse-nis2-wet-treedt-pas-in-tweede-of-derde-kwartaal-2025-in-werking.html
[^1_8]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-netherlands
[^1_9]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/planning-van-de-nis2-richtlijn
[^1_10]: https://www.thetrustedthirdparty.nl/blogs/wetgeving/van-nis2-naar-bio-wat-verandert-er-voor-de-overheid/
[^2_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-france
[^2_2]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^2_3]: https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/
[^2_4]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^2_5]: https://www.openkritis.de/eu/eu-nis-2-france.html
[^2_6]: https://www.careerguide.nl/artikel/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn
[^2_7]: https://tweakers.net/nieuws/227724/belgie-en-kroatie-halen-als-enige-de-nis2-deadline-nederland-loopt-achter.html
[^2_8]: https://www.aon.com/nis2-nl
[^3_1]: https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/
[^3_2]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^3_3]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^3_4]: https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/
[^3_5]: https://www.careerguide.nl/artikel/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn
[^3_6]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^3_7]: https://www.declercq.com/app/uploads/2024/02/NIS2-Praktische-handleiding-NL-De-Clercq-Advocaten-Notariaat-gecomprimeerd.pdf
[^3_8]: https://www.capgemini.com/nl-nl/expertise/research/omgaan-met-nis2/
[^4_1]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^4_2]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^4_3]: https://www.internetconsultatie.nl/cyberbeveiligingswet/document/12562
[^4_4]: https://www.cgi.com/nl/nl/blog/cybersecurity/nis2-het-gras-altijd-groener-bij-de-buren
[^4_5]: https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/
[^4_6]: https://samendigitaalveilig.nl/nieuws/bedrijven-lopen-risico-om-buitenlandse-klanten-kwijt-te-raken-door-nis2-regelgeving/
[^4_7]: https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/
[^4_8]: https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2022/oktober/13/index/NCSC_NIS2_D1_Final.pdf
[^5_1]: https://www.vlaio.be/nl/nieuws/op-18-oktober-2024-gaat-de-europese-cybersecurity-nis2-richtlijn-van-kracht
[^5_2]: https://www.vlaanderen.be/digitaal-vlaanderen/onze-diensten-en-platformen/cyber-response-team-lokaal-bestuur/nieuwe-wetgeving-nis2-wat-lokale-besturen-moeten-weten
[^5_3]: http://atwork.safeonweb.be/nl/nis2
[^5_4]: https://brandcompliance.com/docs/cyberfundamentals/
[^5_5]: https://www.vlaio.be/nl/nieuws/nieuwe-europese-cybersecurity-nis2-richtlijn-wat-betekent-dit-voor-jouw-onderneming
[^5_6]: https://www.dmvh.eu/blog/nis2-in-vlaanderen-implementatie-impact-gevolgen-voor-bedrijven
[^5_7]: https://v-ict-or.be/nieuws/2025/05/15/cww-vlaamse-lokale-besturen-maken-zich-klaar-voor-nis2
[^5_8]: http://ccb.belgium.be/nl/de-nis2-richtlijn-wat-betekent-dit-voor-mijn-organisatie
[^6_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-france
[^6_2]: https://www.declercq.com/app/uploads/2024/02/NIS2-Praktische-handleiding-NL-De-Clercq-Advocaten-Notariaat-gecomprimeerd.pdf
[^6_3]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^6_4]: https://www.sidn.nl/nieuws-en-blogs/nis2-en-domeinnamen-nog-veel-onzeker
[^6_5]: https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen
[^6_6]: https://www.ninjaone.com/nl/blog/nis2-vs-iso-27001/
[^6_7]: https://www.internetconsultatie.nl/cyberbeveiligingswet/document/12562
[^6_8]: https://www.imfacademy.com/nl/cyber-it-security/certified-nis2-lead-implementer.php
[^7_1]: http://ccb.belgium.be/nl/de-nis2-richtlijn-wat-betekent-dit-voor-mijn-organisatie
[^7_2]: http://atwork.safeonweb.be/nl/nis2
[^7_3]: https://brandcompliance.com/docs/cyberfundamentals/
[^7_4]: https://www.vlaanderen.be/digitaal-vlaanderen/onze-diensten-en-platformen/cyber-response-team-lokaal-bestuur/wat-betekent-de-nis2-wet-voor-lokale-besturen
[^7_5]: http://ccb.belgium.be/nl/recent-news-tips-and-warning/publicatie-van-de-nis2-wet-het-belgisch-staatsblad
[^7_6]: https://itce.be/post/nis2-richtlijn-in-belgie-wat-is-het-en-voor-wie-52-topics
[^7_7]: https://www.ntx.be/blog/cybersecurity/hoe-begin-je-met-nis2-en-welke-stappen-kan-je-nu-al-nemen/
[^7_8]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^8_1]: https://digital-strategy.ec.europa.eu/nl/policies/nis2-directive-netherlands
[^8_2]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^8_3]: https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition
[^8_4]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/samenvatting-nis2-richtlijn
[^8_5]: https://www.nis-2-directive.com
[^8_6]: https://www.rijksoverheid.nl/actueel/nieuws/2024/10/23/implementatie-nis2-en-cer-in-nederland-vertraagd-wat-betekent-dat-voor-u
[^8_7]: https://eksa.nl/eksa-nis2-gecertificeerd-met-ingang-van-14-januari-2025/
[^8_8]: https://www.nba.nl/nieuws/2025/maart/cyberbeveiligingswet-nieuwe-verplichtingen-voor-bedrijven-onder-nis2-richtlijn/
[^9_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^9_2]: https://www.nis-2-directive.com
[^9_3]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^9_4]: https://nis2directive.eu/why-nis2/
[^9_5]: https://www.darktrace.com/cyber-ai-glossary/nis2-directive
[^9_6]: https://www.proofpoint.com/us/threat-reference/nis2-directive
[^9_7]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^9_8]: https://www.nis-2-directive.com/NIS_2_Directive_Article_7.html
[^10_1]: https://www.nis-2-directive.com/NIS_2_Directive_Article_7.html
[^10_2]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^10_3]: https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
[^10_4]: https://www.nis-2-directive.com
[^10_5]: https://www.ey.com/en_pl/insights/law/nis2-supply-chain-security
[^10_6]: https://www.ccnet.de/en/blog/the-crucial-role-of-management-in-the-implementation-of-the-nis2-directive/
[^10_7]: https://www.veeam.com/blog/nis2-directive-explained.html
[^10_8]: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/kpmg-network-and-information-security-directive-nis2.pdf
[^11_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^11_2]: https://digital-strategy.ec.europa.eu/en/policies/nis-transposition
[^11_3]: https://www.nis-2-directive.com
[^11_4]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^11_5]: https://blog.grand.io/nis-2-directive-compliance-in-the-age-of-dora/
[^11_6]: https://connectontech.bakermckenzie.com/eu-nis2-implementation-where-are-we-now/
[^11_7]: https://ezine.eversheds-sutherland.com/eu-nis2-directive/netherlands
[^11_8]: https://www.sorainen.com/publications/nis-2-directive-the-eu-s-update-to-the-cybersecurity-framework/
[^12_1]: https://www.nis-2-directive.com
[^12_2]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^12_3]: https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html
[^12_4]: https://www.infosecurity-magazine.com/blogs/nis2-everything-eu-orgs-need-to/
[^12_5]: https://www.nomios.nl/en/resources/what-is-nis2/
[^12_6]: https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/the-nis2-directive.html
[^12_7]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^12_8]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^13_1]: https://nis2directive.eu/nis2-requirements/
[^13_2]: https://futurerange.ie/blog/understanding-the-implications-of-the-nis2-directive-for-board-directors/
[^13_3]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^13_4]: https://blog.smartglobalgovernance.com/en/cybersecurity-governance-nis-2-makes-executives-accountable/
[^13_5]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_8_MGMT.pdf
[^13_6]: https://www.nis-2-directive.com/NIS_2_Directive_Board_of_Directors_Training.html
[^13_7]: https://www.guberna.be/en/know/guberna-what-does-nis2-mean-board-directors-and-executives
[^13_8]: https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/the-nis2-directive.html
[^13_9]: https://www.anove.ai/blog-posts/the-nis2---what-boards-must-do
[^13_10]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^14_1]: https://panorays.com/blog/nis2-compliance-for-third-party-risk-management/
[^14_2]: https://www.bitsight.com/blog/navigating-nis2-requirements-transforming-supply-chain-security
[^14_3]: https://mitratech.com/resource-hub/blog/nis2-and-third-party-risk-management/
[^14_4]: https://rhymetec.com/nis2-requirements/
[^14_5]: https://www.bitsight.com/blog/nis2-compliance-how-to-identify-critical-suppliers
[^14_6]: https://www.holmsecurity.com/nis2-supply-chain-requirements
[^14_7]: https://www.dataguard.com/nis2/requirements/
[^14_8]: https://www.ey.com/en_pl/insights/law/nis2-supply-chain-security
[^14_9]: https://nis2directive.eu/nis2-requirements/
[^14_10]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^15_1]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^15_2]: https://www.nis-2-directive.com
[^15_3]: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333
[^15_4]: https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/samenvatting-nis2-richtlijn
[^15_5]: https://nis2directive.eu/what-is-nis2/
[^15_6]: https://www.cyberday.ai/blog/nis2-overview-history-key-contents-and-significance-for-top-management
[^15_7]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^15_8]: https://sosafe-awareness.com/glossary/nis2/
[^15_9]: https://nis2directive.eu/nis2-release-date/
[^15_10]: https://dispel.com/blog/what-was-the-original-nis-directive-and-why-was-it-not-sufficient
[^16_1]: https://www.nis-2-directive.com
[^16_2]: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/kpmg-network-and-information-security-directive-nis2.pdf
[^16_3]: https://eucrim.eu/news/edps-provides-opinion-on-cybersecurity-directive/
[^16_4]: https://esmt.berlin/knowledge/research-insights/eu-directive-network-and-information-security-requirements-digital
[^16_5]: https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/
[^16_6]: https://www.stibbe.com/publications-and-insights/the-revised-network-and-information-security-directive-enhancing-eu
[^16_7]: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A32016L1148
[^16_8]: https://dispel.com/blog/what-was-the-original-nis-directive-and-why-was-it-not-sufficient
[^17_1]: https://www.ekelmansadvocaten.com/en/nis2-richtlijn-tips-om-je-als-organisatie-voor-te-bereiden-op-deze-nieuwe-regelgeving/
[^17_2]: https://advisera.com/articles/who-does-nis2-apply-to/
[^17_3]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_3_SECTORS.pdf
[^17_4]: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/
[^17_5]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^17_6]: https://www.int-comp.org/insight/nis2-are-you-in-scope/
[^17_7]: https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html
[^17_8]: https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_2_ENTITIES.pdf
[^17_9]: https://autenti.com/en/blog/nis2-directive-what-is-it-who-does-it-apply-to-and-from-when
[^17_10]: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/
[^18_1]: https://highberg.com/insights/eight-things-you-need-to-know-about-nis2
[^18_2]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^18_3]: https://ecs-org.eu/activities/nis2-directive-transposition-tracker/
[^18_4]: https://www.onespan.com/blog/NIS2-part1-what-is-new-in-NIS2-Directive
[^18_5]: https://www.twobirds.com/-/media/new-website-content/insights/pdfs/220607_nis2-directive_provisional-agreement_newsletter_final.pdf
[^18_6]: https://www.ceeyu.io/resources/blog/will-your-company-be-subject-to-nis2
[^18_7]: https://www.mayerbrown.com/en/insights/publications/2024/08/new-eu-cyber-rules-implementation-of-nis2-in-the-eu-member-states
[^18_8]: https://www.jdsupra.com/legalnews/navigating-the-eu-s-nis-2-directive-key-1620256/
[^19_1]: https://www.linkedin.com/pulse/beyond-borders-what-non-eu-companies-need-know-new-nis2-q0d5f
[^19_2]: https://nis2directive.eu/nis2-requirements/
[^19_3]: https://www.nis-2-directive.com
[^19_4]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[^19_5]: https://www.dataguard.com/nis2/requirements/
[^19_6]: https://www.metricstream.com/blog/navigating-the-nis2-directive-compliance-success.html
[^19_7]: https://www.skadden.com/insights/publications/2024/10/navigating-the-new-cybersecurity-landscape
[^19_8]: https://www.zivver.com/blog/how-to-comply-with-nis2