NIS2 for SMBs: What the Law Means and What You Must Arrange
For years, cybersecurity regulation felt like something only banks and utilities had to worry about. That changes with NIS2, the EU directive implemented in the Netherlands as the Cyberbeveiligingswet, expected to take effect in 2026. It pulls thousands of medium-sized Dutch companies into scope for the first time, and it comes with real teeth: a duty of care, a fast reporting duty, supervision, fines and, notably, personal liability for directors.
This guide explains, in plain terms, whether NIS2 applies to your SMB, what you actually have to arrange, and a step-by-step plan to get ready.
What is NIS2?
NIS2 (Network and Information Security Directive 2) is the EU's upgraded cybersecurity law. It replaces the older NIS directive and dramatically widens the range of sectors and company sizes covered. The Dutch implementation is the Cyberbeveiligingswet, supervised largely by the RDI and sector regulators, with the NCSC as the national CSIRT for incident support.
Are you in scope?
Two questions decide it: your sector and your size.
Size threshold (the general rule): - Essential entities: large organisations (250+ staff, or turnover over EUR 50m) in high-criticality sectors. - Important entities: medium organisations (50+ staff, or turnover over EUR 10m) in covered sectors.
Sectors in scope include: energy, transport, banking, drinking water, wastewater, digital infrastructure, ICT service management (managed service providers), public administration, healthcare, postal services, waste management, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), chemicals, and digital providers (online marketplaces, search engines, cloud, data centres).
Two important nuances for SMBs:
- 1. Even if you are too small to be directly in scope, your customers may require NIS2-level security from you as a supplier. Supply-chain security is a core NIS2 obligation, so larger clients will push requirements down the chain.
- 2. Some entities are in scope regardless of size (for example certain digital infrastructure and public bodies).
If in doubt, run the government self-assessment (the "NIS2 zelfevaluatie"). It takes minutes and tells you where you stand.
What NIS2 actually requires
NIS2 is built on a zorgplicht (duty of care) and a meldplicht (reporting duty).
The duty of care: risk-based measures
You must take appropriate technical and organisational measures. The law lists ten themes:
- 1. Risk analysis and information security policy
- 2. Incident handling
- 3. Business continuity and backup management, crisis management
- 4. Supply chain security (including your suppliers)
- 5. Security in acquisition, development and maintenance of systems
- 6. Policies to assess the effectiveness of measures
- 7. Basic cyber hygiene and security training
- 8. Cryptography and encryption
- 9. Access control and asset management
- 10. Multi-factor authentication and secured communications
The reporting duty: fast timelines
If a significant incident occurs, you must:
- Submit an early warning within 24 hours of becoming aware of it.
- Provide a fuller incident notification within 72 hours.
- Deliver a final report within one month.
Governance and director liability
This is the part that changes boardroom conversations: directors are responsible for approving and overseeing the cybersecurity measures, must follow training, and can be held personally liable for failing to comply. Cybersecurity is now explicitly a board-level duty, not just an IT task.
Penalties
For essential entities, fines can reach up to EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities up to EUR 7 million or 1.4%. Supervisors can also impose binding instructions and, in serious cases, management sanctions.
Step-by-step plan for SMBs
- 1. Determine scope. Run the self-assessment and confirm whether you are essential, important, or "only" a supplier facing customer requirements.
- 2. Register. In-scope entities must register with the supervisor. Do not skip this. Registration itself is an obligation.
- 3. Run a risk assessment. Map your critical systems, data and dependencies, and score the risks.
- 4. Close the basics first. MFA everywhere, tested backups, patching, EDR, and access control cover most of the early wins.
- 5. Write the policies. Information security policy, incident response plan, and business continuity plan. Short and usable beats long and ignored.
- 6. Secure your supply chain. Review contracts and security of key suppliers. Expect your own clients to review you.
- 7. Set up incident reporting. Know exactly who reports what, to whom, within 24 hours. Rehearse it.
- 8. Train the board and staff. Directors need documented awareness training. Staff need phishing and hygiene training.
- 9. Review and evidence. NIS2 expects you to measure effectiveness: keep records, run periodic reviews, and align with ISO 27001 where practical.
How NIS2 relates to ISO 27001
You do not need ISO 27001 certification to comply with NIS2, but the two align closely. If you already run an ISO 27001 information security management system, you are most of the way to the duty-of-care requirements. For SMBs starting fresh, using ISO 27001 as a framework is a pragmatic way to structure the work.
FAQ
When does NIS2 apply in the Netherlands? The Cyberbeveiligingswet implements NIS2 and is expected to enter into force in 2026. The duty of care and reporting obligations apply once it is in force, so preparation should start now.
My company is small, am I really affected? Possibly directly (some sectors and sizes are in scope), and very likely indirectly: larger clients bound by NIS2 must secure their supply chain, so they will impose security requirements on you as a supplier.
What is the fastest way to start? Run the government self-assessment, then close the basics: MFA, tested backups, patching, EDR and access control. These cover a large share of the duty of care.
Can directors really be held liable? Yes. NIS2 makes cybersecurity a management responsibility. Boards must approve measures, follow training and can face personal sanctions for non-compliance.
Get NIS2-ready
Not sure where you stand or what to fix first? Explore our Cybersecurity & Identity service for a NIS2 gap assessment, or read 8 measures that prevent ransomware to cover the technical basics.
