Cybersecurity
Deep Dive

NIS2 for SMBs: What the Law Means and What You Must Arrange

The Dutch Cyberbeveiligingswet (NIS2) lands in 2026 and brings duty of care, a 24-hour reporting duty and personal director liability. Here is who is in scope, what you must arrange, and a practical step-by-step plan for SMBs.

Jun 28, 2026
10 min read
NIS2 for SMBs: What the Law Means and What You Must Arrange

NIS2 for SMBs: What the Law Means and What You Must Arrange

For years, cybersecurity regulation felt like something only banks and utilities had to worry about. That changes with NIS2, the EU directive implemented in the Netherlands as the Cyberbeveiligingswet, expected to take effect in 2026. It pulls thousands of medium-sized Dutch companies into scope for the first time, and it comes with real teeth: a duty of care, a fast reporting duty, supervision, fines and, notably, personal liability for directors.

This guide explains, in plain terms, whether NIS2 applies to your SMB, what you actually have to arrange, and a step-by-step plan to get ready.

What is NIS2?

NIS2 (Network and Information Security Directive 2) is the EU's upgraded cybersecurity law. It replaces the older NIS directive and dramatically widens the range of sectors and company sizes covered. The Dutch implementation is the Cyberbeveiligingswet, supervised largely by the RDI and sector regulators, with the NCSC as the national CSIRT for incident support.

Are you in scope?

Two questions decide it: your sector and your size.

Size threshold (the general rule): - Essential entities: large organisations (250+ staff, or turnover over EUR 50m) in high-criticality sectors. - Important entities: medium organisations (50+ staff, or turnover over EUR 10m) in covered sectors.

Sectors in scope include: energy, transport, banking, drinking water, wastewater, digital infrastructure, ICT service management (managed service providers), public administration, healthcare, postal services, waste management, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), chemicals, and digital providers (online marketplaces, search engines, cloud, data centres).

Two important nuances for SMBs:

  • 1. Even if you are too small to be directly in scope, your customers may require NIS2-level security from you as a supplier. Supply-chain security is a core NIS2 obligation, so larger clients will push requirements down the chain.
  • 2. Some entities are in scope regardless of size (for example certain digital infrastructure and public bodies).

If in doubt, run the government self-assessment (the "NIS2 zelfevaluatie"). It takes minutes and tells you where you stand.

What NIS2 actually requires

NIS2 is built on a zorgplicht (duty of care) and a meldplicht (reporting duty).

The duty of care: risk-based measures

You must take appropriate technical and organisational measures. The law lists ten themes:

  • 1. Risk analysis and information security policy
  • 2. Incident handling
  • 3. Business continuity and backup management, crisis management
  • 4. Supply chain security (including your suppliers)
  • 5. Security in acquisition, development and maintenance of systems
  • 6. Policies to assess the effectiveness of measures
  • 7. Basic cyber hygiene and security training
  • 8. Cryptography and encryption
  • 9. Access control and asset management
  • 10. Multi-factor authentication and secured communications

The reporting duty: fast timelines

If a significant incident occurs, you must:

  • Submit an early warning within 24 hours of becoming aware of it.
  • Provide a fuller incident notification within 72 hours.
  • Deliver a final report within one month.

Governance and director liability

This is the part that changes boardroom conversations: directors are responsible for approving and overseeing the cybersecurity measures, must follow training, and can be held personally liable for failing to comply. Cybersecurity is now explicitly a board-level duty, not just an IT task.

Penalties

For essential entities, fines can reach up to EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities up to EUR 7 million or 1.4%. Supervisors can also impose binding instructions and, in serious cases, management sanctions.

Step-by-step plan for SMBs

  • 1. Determine scope. Run the self-assessment and confirm whether you are essential, important, or "only" a supplier facing customer requirements.
  • 2. Register. In-scope entities must register with the supervisor. Do not skip this. Registration itself is an obligation.
  • 3. Run a risk assessment. Map your critical systems, data and dependencies, and score the risks.
  • 4. Close the basics first. MFA everywhere, tested backups, patching, EDR, and access control cover most of the early wins.
  • 5. Write the policies. Information security policy, incident response plan, and business continuity plan. Short and usable beats long and ignored.
  • 6. Secure your supply chain. Review contracts and security of key suppliers. Expect your own clients to review you.
  • 7. Set up incident reporting. Know exactly who reports what, to whom, within 24 hours. Rehearse it.
  • 8. Train the board and staff. Directors need documented awareness training. Staff need phishing and hygiene training.
  • 9. Review and evidence. NIS2 expects you to measure effectiveness: keep records, run periodic reviews, and align with ISO 27001 where practical.

How NIS2 relates to ISO 27001

You do not need ISO 27001 certification to comply with NIS2, but the two align closely. If you already run an ISO 27001 information security management system, you are most of the way to the duty-of-care requirements. For SMBs starting fresh, using ISO 27001 as a framework is a pragmatic way to structure the work.

FAQ

When does NIS2 apply in the Netherlands? The Cyberbeveiligingswet implements NIS2 and is expected to enter into force in 2026. The duty of care and reporting obligations apply once it is in force, so preparation should start now.

My company is small, am I really affected? Possibly directly (some sectors and sizes are in scope), and very likely indirectly: larger clients bound by NIS2 must secure their supply chain, so they will impose security requirements on you as a supplier.

What is the fastest way to start? Run the government self-assessment, then close the basics: MFA, tested backups, patching, EDR and access control. These cover a large share of the duty of care.

Can directors really be held liable? Yes. NIS2 makes cybersecurity a management responsibility. Boards must approve measures, follow training and can face personal sanctions for non-compliance.

Get NIS2-ready

Not sure where you stand or what to fix first? Explore our Cybersecurity & Identity service for a NIS2 gap assessment, or read 8 measures that prevent ransomware to cover the technical basics.

NIS2
Cybersecurity
Compliance
MKB

Related Articles

Cybersecurity

AI-Powered Cybersecurity: How Machine Learning Is Transforming Threat Detection

Cyberattacks are growing in volume and sophistication. AI-powered security tools are shifting the balance back to defenders. This article examines how Dutch organisations are using ML-driven SIEM, EDR, and threat intelligence to stay ahead.

Read More
Cybersecurity

Preventing Ransomware in the SMB: 8 Measures That Actually Work

SMBs are now the primary target for ransomware precisely because attackers assume their defences are weak. The good news: a handful of well-implemented measures stop the vast majority of attacks. Here are the 8 that deliver the most protection per euro.

Read More
AI & Compliance

The EU AI Act: What Dutch Businesses Need to Know in 2026

The EU AI Act is now in force. From risk classifications to mandatory conformity assessments, here is what every Dutch organization deploying AI systems must do to stay compliant, and avoid fines up to 35 million euro.

Read More

Need Help with Your IT Infrastructure?

Let's discuss how we can help transform your IT operations with modern solutions.