NIS2 compliance software for growing SMBs

NIS2 is the European directive raising the bar for cybersecurity. In the Netherlands, NIS2 is being transposed into the Cybersecurity Act (Cyberbeveiligingswet), expected to take effect mid-2026. The directive distinguishes between essential and important entities in sectors such as energy, transport, healthcare, financial services, and digital infrastructure.

In practical terms, NIS2 centres on four areas: risk management, supply chain security, incident reporting, and governance. Organisations that fall under the directive need to demonstrate that they have taken measures in each of these areas. That sounds like something for large enterprises, but the reality is different. More and more SMBs are being confronted with NIS2 requirements through their clients, even if they are not directly in scope themselves.

The reason: NIS2-obligated organisations must secure their supply chain. If you deliver software, process data, or provide IT services to a company that falls under NIS2, those requirements will reach you through contracts and security questionnaires.

Most SMBs know that NIS2 is coming. Where things break down is translating the directive into their own organisation. Three situations we see regularly:

A client in a regulated industry sends you a security questionnaire. The questions cover vendor management, risk assessments, and incident procedures. You know you handle these things reasonably well, but nothing is documented. The answer to every question starts with "we do that, but it is not written down anywhere."

Or you read that NIS2 requires incident response readiness. Your team knows what to do when something goes wrong, but there is no protocol. No log of previous incidents. No description of who does what and when. If an auditor asks, you have nothing to show.

Then there is the risk assessment. You know you should carry one out, but you are not sure what exactly to document, which format to use, or how detailed it needs to be. You keep putting it off because it feels like a project in itself.

Sound familiar? Then you are exactly where most SMBs are. The problem is not a lack of willingness. The problem is that NIS2 obligations are abstract and the translation to a concrete overview is missing.

The Dutch Cybersecurity Act translates NIS2 into national legislation. What do you concretely need to be able to show? Five areas that auditors and clients will ask about:

Risk assessment
A documented overview of your information security risks. Which systems are critical? Where are the vulnerabilities? What measures have you taken? This does not need to be hundreds of pages, but it needs to exist and it needs to be current.

Vendor management
An inventory of vendors with access to your systems or data, with a risk categorisation per vendor. Who processes which data? What agreements are in place? Read more about NIS2 supplier management in our detailed article.

Incident registration
A log of security incidents and how you handled them. NIS2 requires you to report significant incidents within 24 hours. That is only possible if you have a process to register and escalate incidents.

Governance
Who is responsible for information security in your organisation? NIS2 requires that management is demonstrably involved in security decisions. That means: documented responsibilities and approvals, not just an informal understanding.

Evidence
Everything above only has value if you can prove it. Documentation you can show to an auditor, a client, or a regulator. Not loose files on a shared drive, but an overview with version history and ownership.

The Dutch Cybersecurity Act (Cyberbeveiligingswet) is the national transposition of the European NIS2 directive. The expected effective date is mid-2026. That may sound distant, but in practice it means Dutch regulators will soon have formal enforcement powers.

What changes concretely? Companies that fall under the act will have a reporting obligation for significant incidents. Regulators can conduct audits and take enforcement action where they find structural shortcomings. And organisations doing business with NIS2-obligated companies will notice that contractual security requirements become stricter.

The good news: you do not need to wait for the act to pass before you start. The NIS2 requirements are already known. The Cybersecurity Act adds a Dutch enforcement layer, but the substantive obligations do not change. Those who start documenting now will be on solid footing when enforcement begins. Check the pricing to see what fits your organisation, or get started with the digital compliance tool.