The NIS2 Directive Becomes Reality
The European NIS2 Directive (Network and Information Security Directive) is being transposed into Dutch national law as the Cyberbeveiligingswet (Cybersecurity Act). It is expected to formally take effect in Q2 2026. For many organisations, time to prepare is running out.
But what exactly does NIS2 entail? And more importantly: what concrete steps should you take?
Who Falls Under NIS2?
The directive dramatically expands its scope compared to the original NIS Directive. Not just critical sectors like energy and transport, but also:
- Healthcare — hospitals, laboratories, pharmaceutical companies
- Financial services — banks, insurers, payment service providers
- Digital infrastructure — cloud services, data centres, DNS providers
- Food production and distribution
- Waste management and water utilities
- Postal and courier services
- Government institutions
The threshold has been lowered: medium-sized companies (50+ employees or €10M+ revenue) in these sectors are automatically covered.
Board-Level Accountability: No Longer Optional
One of the most significant changes is explicit management accountability. Article 20 of the directive states that management must:
- Approve cybersecurity measures and oversee their implementation
- Complete mandatory cybersecurity training
- Be held personally liable in cases of negligence
This is not a paper exercise. Directors who delegate cybersecurity without active oversight face genuine legal risk.
The Human Factor: Where NIS2 and Behavioural Analysis Converge
NIS2 requires "appropriate and proportionate technical, operational and organisational measures" (Article 21). Organisational measures explicitly include:
- Security awareness training for all employees
- Assessment of the effectiveness of these measures
- Incident reporting within 24 hours (early warning) and 72 hours (full report)
This is where it gets interesting. Most organisations invest in firewalls and endpoint protection, but overlook the biggest vulnerability: human behaviour. Research consistently shows that over 80% of security incidents involve a human element.
The question is not whether your employees pose a risk, but which employees are most vulnerable — and why.
From Compliance Checkbox to Genuine Resilience
Ticking off an annual phishing simulation no longer suffices. NIS2 demands:
- Measurable behavioural analysis — Do you know which behavioural patterns make your organisation vulnerable?
- Targeted interventions — Not everyone needs the same training
- Continuous monitoring — One-off assessments are insufficient
- Demonstrable improvement — Can you show auditors that your approach works?
Scientifically validated methods such as Q-Methodology offer a solution. By creating individual behavioural profiles, you can identify exactly where risks lie and take targeted measures.
What Can You Do Now?
Step 1: Inventory — Does your organisation fall under NIS2? Check the sector list and size thresholds.
Step 2: Baseline measurement — Map your employees' current security behaviour. Not with a survey, but with a scientifically validated behavioural analysis.
Step 3: Gap analysis — Compare your current situation against NIS2 requirements. Where are the gaps?
Step 4: Action plan — Create a plan with concrete measures, deadlines and responsibilities.
Step 5: Implement and measure — Execute the measures and continuously monitor effectiveness.
Conclusion
NIS2 is no longer a distant concern. The Dutch Cybersecurity Act is coming, and penalties for non-compliance are substantial: up to €10 million or 2% of global annual turnover.
But NIS2 is more than a compliance obligation. It is an opportunity to make your organisation genuinely more resilient. And that starts with understanding human behaviour.
