EU regulation

NIS2 Directive / Cybersecurity Act

The NIS2 Directive (Directive (EU) 2022/2555), implemented in the Netherlands as the Cybersecurity Act, obliges organisations in designated sectors to maintain a duty of care, an incident reporting duty and management accountability for cybersecurity.

Key obligations

Duty of care: appropriate security measures
Art. 21 NIS2 requires appropriate and proportionate risk management measures: risk analysis and security policy, incident handling, business continuity (back-ups/recovery), security in development/maintenance, effectiveness measurement, basic cyber hygiene and encryption.
Access management and multi-factor authentication
Art. 21 NIS2 lists access management, including multi-factor authentication and account management, as part of the minimum measures.
Phased reporting duty (24/72 hours)
NIS2 sets a phased reporting duty for significant incidents: an early warning within 24 hours, an incident notification within 72 hours and a final report within one month to the authority/CSIRT.
Supply-chain security
Art. 21 NIS2 explicitly covers supply-chain security, including relationships with direct suppliers; customers may pass this duty down by contract.
Management accountability and training
Art. 20 NIS2 places responsibility with the management body: approving measures, overseeing implementation, mandatory training and potential liability for failure to comply.
Registration with the competent authority
NIS2 requires a registration mechanism; certain digital providers have a direct registration duty. The Cybersecurity Act determines the point of contact and procedure.

Follow this topic

Get an email whenever something changes here. No account needed; confirm by email (double opt-in).

We use your email address only to send updates about this topic. You can unsubscribe at any time. See our privacy policy.

← Back to Trusq