NIS2: much needed, but also more work pressure

The European NIS2 Directive aims to increase the digital resilience of organizations. And rightly so, because cyberattacks are increasing exponentially. This crucial legislation is intended to protect critical sectors such as energy, transport, and banking against cyber threats. However, the law entails a lot of administrative burdens. Clients — such as banks, supermarkets, or municipalities — must compile a long list of all the suppliers they work with and identify their risks. Suppliers — such as IT companies, software developers, or hosting parties — must demonstrate to all their customers that they are taking the appropriate security measures. We spoke to cybersecurity expert Patrick Jordens about whether the Netherlands is ready for the law that will come into force next year.

Patrick Jordens

Patrick Jordens (1969) is an entrepreneur with a passion for digital security. He is the director of Trusted Third Party and founder of DMCC Group, which helps organizations comply with all external laws and regulations and internal policies in the field of privacy and consumer law. He is also a guest lecturer in marketing, data privacy, and ethics at Rotterdam University of Applied Sciences.

NIS2 is already active, but full implementation will follow in 2026. What does that mean for organizations and companies?

"Companies and organizations must not only have their own security in order, but also actively manage the risks of their suppliers. And that is sorely needed. I interviewed a client for my own marketing website: Geldersch Landschap & Kastelen, an organization that protects cultural heritage in Gelderland. They were hacked via their IT supplier. That supplier had been infected with ransomware, the data was not properly segmented, and the attacker was therefore able to access their systems directly. This caused enormous problems, even though they thought everything was fine. The new law, therefore, states very clearly that you must also consider the security of your suppliers, whether they are IT companies or software developers.

How is it possible that NIS2 is increasing the workload for both customers and suppliers?

"For some organizations and companies, NIS2 means they have to manage dozens to hundreds of suppliers. They have to question those suppliers, conclude contracts with clear security requirements, and ensure that everyone continues to comply with them. They have to consult with their suppliers regularly, test incidents, and organize training courses. Suppliers, in turn, must report incidents directly to the client. This means that a much more active relationship must be established between the client and the supplier.

For IT suppliers, especially SMEs, this also creates a lot of hassle. They are at a loss; they have to do things they have never done before in the field of security, and they have to demonstrate everything they do. It is a lot of work. All customers will make the same demands, but with different wording and questions."

It sounds as if the Netherlands is not quite ready for the new law.

“NIS2 will come into force in the second quarter of 2026. One thing is certain: the Netherlands is far from ready.”

What can clients and suppliers do to prepare themselves?

"I advise suppliers to create a standard accountability file that they can share with all their (future) clients: a clear package of documents that allows you to immediately demonstrate that your basic security is in order. If you do that groundwork now, you won't have any problems when a client asks for supporting documents.

Clients would be wise to start mapping out their suppliers now. It is then important to assess and classify all risks: for example, an IT supplier is a high risk, while a supplier of toilet paper usually is not. This makes it easier to take the appropriate security measures and communicate them clearly to suppliers. Consider, for example, ensuring that multi-factor authentication is properly set up everywhere."