Many a security party tries to convince you that the urgency for implementing the NIS2 regulations is incredibly high. If all the stories are to be believed, you should go along with the hype as soon as possible and hire heavily to deal with impending doom. But let’s face it. Not everyone is convinced. And maybe that is justified?
In the Netherlands, the European NIS2 Directive is being implemented in the form of the Cyber Security Act (Cbw). We all know by now that this law is not yet finished. In Cabinet Schoof I, it was not a top priority. But when will it be? It is now on the agenda for Q2 2026, but we have seen before that postponement is a possibility. So it is logical that a number of organizations are questioning the urgency of NIS2 and implementing measures.
NIS2 is not just about security. Of course, the risk of a security incident is actually no greater once the legislation goes into effect. So then why the urgency?
In this piece, I address the security professional who needs to convince management to really get going after all, and/or the manager who wants to know if and why he needs to be convinced. To get that clear, we’ll look at the practicalities you’re going to have to deal with in a hack. And that is the impact of compliance on your business opportunities and liability. Because yes – spoiler alert – if you ask me, NIS2 compliance is very urgent. Not because of the advent of new legislation, but simply because you need to have your security in order for a secure and forward-looking organization.
Security is obviously more than just protecting against a hacker reading an email. It is also protecting against the reputational damage that comes from an incident, preventing disruption of business processes and preventing fraud.
Demonstrating to the outside world that your organization is secure has also become increasingly important. And in many cases even (more or less) mandatory. In the form of ISO27001, NEN7510, DORA and numerous other frameworks. In today’s connected world, parties in the (production) chain want advance assurance that their partner is secure and will not pose a risk. Often this is mandatory or a perk, and sometimes it is not yet relevant because the industry does not ask for it. But, it is clear that this demand is coming back more and more in tenders from both private and government.
We already know that with the new NIS2 regulations, the number of industries and companies for which compliance is going to become an obligation increases dramatically. And because those companies also have to demonstrate NIS2 compliancy throughout the chain, this is also going to apply beyond the obligated entities.
Imagine a tender with a check question, “Are you NIS2 compliant?” Do you tick off this question confidently? Are you “working on it” or can you show in detail that you are implementing a realistic plan?
And what are the other competing parties going to be able to fill in on this? If it’s a hard requirement, where you have to provide evidence, what’s the impact on your competitive position?
In the market we see different levels of preparation for NIS2. Here we look at the three well-known pillars of: People, Process and Technology. We look at those pillars across two axes. First, how mature am I as an organization? And second, can I show that if asked?
Many organizations are doing well when it comes to security, but find it difficult to actually demonstrate this. Or to make their next steps toward an adequate level concrete.
Ask yourself, or your manager, the following questions:
Do you feel doubt or uncertainty somewhere after reading the above piece? I challenge you to have a frank conversation about this with security, legal and management. Ultimately, the right action comes from balancing business risk, security and the legal obligations that will soon apply.
In this, also discuss the practical issues that play a major role. Unless you already have a well-oiled ISO27001, DORA, etc. procedure in place, chances are slim that you will take the required steps quickly. By any standards, the requirements in the areas of people, process and technology are ambitious and not easily achieved.
Is it wise to budget heavily now and sprint with intensive knowledge transfer to get there early? Or would you rather spread the budget and build a more mature organization more quietly internally? My advice: get started quietly, but quickly. That is; take some time to get a good understanding of the situation and determine the roadmap, but put this at the top of your priority list and start developing your compliancy soon. You don’t have to be the first across the finish line, but every day you are at risk is one too many.
Above all, include the other added value of a well-run system in your consideration. Being in control with security = being in control of your IT. Knowing what is going on and being able to show it has major advantages internally as well. Think of making ROIs measurable and visible, substantially lower audit costs, preventing fraud & theft (internally and externally, and using your secure business operations as an advantage in sales, insurance, loans, etc.).
Compliancy is a complex story, especially when legislation is involved. At One Zero IT, we quickly decompose your compliancy issue into an operational solution. That is, we dissect your security challenge, solve it and deliver the solution to your team ready to use. In doing so, we focus on the Zero Trust principle: never trust, always verify.
Our experienced consultants know how drawing up a roadmap together works best and can help implement it. That’s how Zero Trust gets beyond the drawing board. Would you like to discuss your progress with NIS2 and our advice for the next step? Then get in touch.
”My goal is that the IT manager and CEO can sleep easy when it comes to security in the broadest sense of the word. Through overlap of the chapters cloud, connectivity and cybersecurity, One Zero IT ensures that you are unburdened from A to Z in making and keeping your business secure.”
Chapterlead Cybersecurity
The latest news from One Zero IT.
Hier mag een stukje tekst over Zero Trust komen.
Hier mag een stukje tekst over Zero Trust komen.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo. LEO LEO LEO WAAROM WERKEN GEWELDIG IS!
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus. CONTACT OPNEMEN! WAAROM WAARDEVOL?
Hier mag een stukje tekst over Business partner komen.
Hier mag een stukje tekst over zzp'ers komen.
Here may be a piece of text about Zero Trust.
Here may be a piece of text about Zero Trust.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo. LEO LEO LEO WHY WORK IS GREAT!
Lorem ipsum dolor sit amet, consectetur adipiscing elit. ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus. GET IN TOUCH! WHY VALUABLE?
A piece of text about Business partner may come here.
Here may be a piece of text about zzp'ers.
