On October 17, 2024, the new European Network and Information Security Directive, known as the NIS2 Directive, came into effect, marking a crucial shift in the approach to cybersecurity. The directive focuses on strengthening digital resilience across essential sectors. In the Netherlands, NIS2 will be implemented into national legislation through the Cyberbeveiligingswet (Cybersecurity Act or Cbw), which is anticipated to come into force in the third quarter of 2025.

However, businesses in the Netherlands will still have to comply with the NIS2 even if there isn’t national legislation yet. 

This article is written by Mourad Seghir ([email protected]). Mourad is part of RSM Netherlands Business Consulting Services with a focus on Finance & Cybersecurity.  

According to recent findings from the Alert Online-trendonderzoek , conducted by Ipsos I&O for the Ministry of Economic Affairs, a striking 32% of small businesses in the Netherlands have not taken any action towards securing their online activities. This is a sharp increase compared to 2023, when only 19% of small businesses reported taking no measures. Furthermore, the findings show that phishing remains the most common form of cybercrime, affecting 58% of employees in the past year, with ICT professionals facing an even higher rate of 72%.

The data highlights a clear disparity in cybersecurity preparedness between small and large businesses, with smaller organizations struggling to implement even basic measures such as two-factor authentication or regular data backups.

Key Takeaway: Small businesses face challenges in cybersecurity readiness, risking vulnerabilities as the NIS2 Directive comes into force.

Low Awareness of NIS2 Requirements

Another key concern revealed by the Alert Online report is the lack of awareness regarding the NIS2 Directive among businesses and their employees. While 45% of ICT professionals in sectors covered by NIS2 are familiar with the directive, only 33% of all ICT professionals across other sectors have heard of it. Among general employees, 85% remain unaware of NIS2, with nine out of ten employees not realizing that their organization may fall under the directive’s scope.

This lack of awareness poses a risk, as organizations may be unprepared to meet the compliance requirements set out by NIS2 and, eventually, the Cybersecurity Act.
Key Takeaway: Raising awareness and increasing engagement among small businesses and their employees are critical for successful NIS2 implementation.

Risk Mitigation Strategies for Businesses

1. Conducting a Risk Analysis

Digital threats can pose significant risks to a business's operations and reputation. Establishing a clear and cyclical risk management policy is essential for maintaining an appropriate level of digital resilience. A comprehensive risk analysis should include:

Key Takeaway: A tailored risk analysis provides a foundation for making informed decisions on mitigating identified risks.

2. Implementing Appropriate Measures

Organizations need to take proactive steps to enhance their cybersecurity resilience. Based on the results of the risk analysis, businesses should consider implementing measures such as:

For small businesses, adopting basic security practices like multi-factor authentication and regular backups can significantly improve their resilience to cyber threats.

Key Takeaway: Customized, proactive measures are essential for maintaining compliance and improving resilience.

3. Establishing Incident Response Procedures

Organizations subject to NIS2 must establish procedures for reporting incidents to the national and/or sectoral CSIRT (Computer Security Incident Response Team) and the relevant supervisory authority. Key considerations include:

With phishing still the most prevalent form of cybercrime, it is vital for businesses to equip employees with the knowledge and resources needed to handle incidents effectively.

Key Takeaway: A robust incident response framework is critical to complying with NIS2 and minimizing the impact of cyber incidents.

Forward Thinking: Preparing for the Cybersecurity Act

The transition to the Cybersecurity Act marks a change in the cybersecurity landscape in the Netherlands. While large organizations may be better equipped to navigate these changes, small businesses face an uphill battle in both awareness and readiness. For businesses to achieve compliance and protect their digital assets, proactive steps must be taken to raise awareness, conduct thorough risk assessments, and implement tailored security measures.

Organizations should leverage available resources and expert guidance to strengthen their cybersecurity posture and ensure they are fully prepared for the new regulations. By taking these steps, businesses can not only achieve compliance but also build resilience against the ever-evolving threat of cyberattacks.

RSM is Thought Leader in the field of Strategy consulting. We offer frequent insights through training and sharing of thought leadership that is based on a detailed knowledge of regulatory obligations and practical applications in working with our customers. If you want to know more, please reach out to one of our consultants.