New cyber security rules: companies have to act now!

New cyber security rules: companies have to act now!

Niederlande - Today we are at a time when digital security is more than ever in focus. The impending cyber attacks can no longer be ignored and require a rethink in many companies. But what exactly changes with the new regulations that can be seen from the European NIS2 directive? The answer gives us the KVK .

The new cybersecurity legislation, specifically the cybersecurity Act (cyberbveiligingswet, CBW), is in the starting blocks and will finally be effective in the course of the second quarter of 2026 in the Netherlands. This will finally put the NIS2 directive into force on national laws, which comes into force on October 17, 2024. A clear control course is determined here, which includes all affected companies from large corporations to small and micro-companies.

But why is that so important? Quite simply: The NIS2 directive aims to improve the resilience of critical sectors in the EU and thus to ensure the security and continuity of essential services in society. More and more organizations are faced with a growing number of digital threats. It is therefore essential that companies are now becoming active and preparing for the upcoming changes.

who is affected?

The rules apply to organizations in critical sectors such as energy, health and banks. The area of application has been significantly expanded, so that more and more sectors are now under the stricter requirements. According to enisa fall under the NIS2 directive in total 18 sectors, which are divided into two main categories-essential and important facilities.

• digital infrastructures (e.g. cloud services, internet nodes)
• energy (oil, gas, electricity)
• Transport (aviation, rail)
• healthcare (clinics, research institutions)
• public administrations

entrepreneurs should also be aware that companies with at least 50 employees or annual sales of over 10 million euros are particularly under this law. But smaller companies can also be affected if they are considered critical of society, such as service providers in the digital area.

What is expected from companies?

The number of requirements that companies and their suppliers have to meet is impressive. Organizations not only have to deal with ISO 27001 and risk management, but also take measures to report cyber attacks, security updates and training programs for employees. According to Opencritis it is also essential to implement emergency plans and data backups.

This not only requires time, but also targeted preparations. The draft law does not leave any questions open: Companies have to prepare for comprehensive examining their cyber security and, if necessary, improving in order to meet the requirements. Today, Cybersecurity is not only a technical question, but also an essential prerequisite for trust in digital business models.

With the NIS2 guideline and the associated cybersecurity act, a clear framework is created, which focuses on the willingness of cyber defense. The monitoring and compliance with the requirements are ensured by national supervisory authorities, which reinforces the need for cooperation in the EU

In view of the impending dangers and tightening in legislation, companies should no longer wait. With a proactive approach, the right planning and a clear understanding of the requirements, you can not only improve your security, but also make a positive contribution to digital society.

This is not only a challenge, but also an excellent opportunity for companies to adapt to the future requirements and thus prove a good knack for their digital future.

For further information and support, companies can use the materials and resources of Enisa that aim to offer and show a comprehensive overview of the NIS2 directive.