NIS2 Netherlands Ready: What IT Managers Must Do Before the Cyberbeveiligingswet Starts

NIS2 Netherlands ready planning is now an operational priority for Dutch IT managers because the Cyberbeveiligingswet is expected to bring new registration, governance, reporting, and evidence duties into force.

Key Takeaways

• NIS2 is the new EU cybersecurity directive and will be implemented in the Netherlands through the Cyberbeveiligingswet.
• The Dutch government aims for the Cyberbeveiligingswet to enter into force in Q2 2026.
• Around 10,000 Dutch organizations are expected to be directly in scope, with an estimated 50,000 suppliers affected through supply chain requirements.
• You must be able to show your asset inventory, ownership, risks, incident handling, and evidence of controls.
• AssetGPT helps register assets, owners, and relationships, while adding governance, approvals, audit trails, and fast onboarding.

---

NIS2 in plain language

NIS2 stands for Network and Information Security Directive 2. It is an EU law that raises the minimum level of cybersecurity for important services and their suppliers. In the Netherlands, NIS2 will be implemented through the Cyberbeveiligingswet. This law replaces the current Wbni and extends the scope to many more sectors and companies.

The Dutch government has stated that the Cyberbeveiligingswet is expected to enter into force in the second quarter of 2026. Until then, companies are urged to prepare. The reason is simple. The risks already exist, and the requirements are clear enough to act on now.

Sources:

• Business.gov.nl on NIS2 obligations and expected timeline.
• NCTV Q and A on Cyberbeveiligingswet planning and duties.

Who in the Netherlands should worry about NIS2

NIS2 covers essential and important entities. In practice, this depends on sector and size. If your organization operates in one of the NIS2 sectors and has at least 50 employees or more than 10 million euro in turnover or balance sheet total, you are likely in scope. Larger organizations are classified as essential entities, while medium sized ones are important entities. Essential usually means higher criticality or larger scale. Important is still regulated, but with lighter supervision.

Examples of in scope sectors include energy, transport, healthcare, digital infrastructure, public administration, and key ICT service providers. The list expands well beyond the original NIS1 scope. The reality for most IT managers is that their organization either falls directly in scope or supports a customer that does.

The Dutch scope is significant. Industry sources estimate that roughly 10,000 organizations will fall directly under NIS2 in the Netherlands. Another 50,000 companies are expected to be affected as suppliers because NIS2 introduces supply chain responsibilities.

Sources:

• Samen Digitaal Veilig on 10,000 direct scope and 50,000 supply chain impact.
• RDI guidance on who falls under the Cyberbeveiligingswet.

If you are unsure, the Dutch government provides a self evaluation tool that helps determine if your organization is considered essential or important.

Source:

• RDI and NCSC self evaluation tool.

What does NIS2 require in practice

NIS2 is not just about policies. It requires proof that you know your assets, manage risks, and can respond quickly. For IT managers, that means the following areas need to be under control.

1. Asset inventory and ownership

You must know which systems you run, who owns them, and which services depend on them. Think of an asset register as a living list of systems, owners, locations, and criticality. Without this, you cannot judge risk or respond to incidents. The Cyberbeveiligingswet also requires registration of entity details in a national register once the law is active.

2. Relationships and dependencies

NIS2 is about resilience. That means understanding how an outage or compromise spreads across your environment. You need to see relationships between servers, applications, suppliers, and teams. A relationship map shows what runs where and what depends on what, so impact analysis is fast and accurate.

3. Risk assessment and measures

NIS2 includes a duty of care. You must assess risk and implement reasonable technical and organizational measures. This is the core of the law and it is what inspectors will focus on.

4. Incident response and reporting

NIS2 introduces strict reporting timelines. In the Netherlands, the duty to report includes an early warning within 24 hours for significant incidents, followed by updates and an end report. Your incident workflow must support this. You need evidence that your process works, not just a document on a shelf.

5. Governance and accountability

The law expects management to approve and oversee the cybersecurity measures. You need clear governance with audit trails, approvals, and evidence that actions were taken. Governance here means controlled decision making and proof that critical actions were approved.

Sources:

• Business.gov.nl on duty of care, duty to report, and supervision.
• NCTV Q and A on registration, governance, and reporting steps.

What needs to be registered

NIS2 creates a registration duty for essential and important entities. The register is meant to give authorities an overview of critical services and their contacts. That sounds simple, but it requires you to keep internal data structured and current.

In practice, that means you must be ready to provide and maintain:

• Organization identity and contact details
• Sector classification and service scope
• Responsible persons and ownership lines
• Key assets that support essential services
• Evidence of security measures and incident handling

If you cannot keep this current, you will struggle during audits and incident response. The same data is also needed when your customers or partners ask for NIS2 proof in the supply chain.

The supply chain effect is real

Even if you are not a direct NIS2 entity, you may still be asked to prove security controls. The directive includes a strong chain responsibility requirement. That means essential and important entities must manage supplier risk. For many mid size IT providers in the Netherlands, this is the trigger that will push customers to ask for evidence, contracts, and audits.

If you are part of the ICT sector, this matters even more. NIS2 is focused on digital service providers, and Dutch sources indicate thousands of ICT suppliers are already preparing for customer audits and new requirements.

Consequences of not being ready

NIS2 is not a box ticking exercise. If you are not ready, several problems can show up fast.

• Contract risk: Suppliers will be asked to show proof of compliance. If you cannot, you may lose deals or renewals.
• Incident exposure: Without clear asset ownership and relationships, incident response slows down and damage grows.
• Regulatory pressure: NIS2 allows authorities to issue binding instructions and fines, with levels defined in national law and sector rules.
• Leadership accountability: Boards must show active oversight, so gaps can become management risks.

The result is not just legal risk. It becomes operational risk, business risk, and reputational risk.

A practical readiness checklist for IT managers

Here is a simple checklist that maps directly to NIS2 expectations. It is not legal advice, but it reflects how inspectors typically think.

1. Know your in scope services

• Identify services that fall under NIS2 sectors.
• Document who uses them and what happens if they fail.

1. Build a clean asset register

• Record systems, owners, locations, and criticality.
• Track key software, infrastructure, and data flows.

1. Map relationships and dependencies

• Identify what runs where and what depends on what.
• Capture supplier links and outsourced services.

1. Formalize risk assessments

• Identify likely risks and quantify impact.
• Link risks to concrete measures and owners.

1. Strengthen incident response

• Define who declares an incident and who reports it.
• Track response steps, evidence, and post incident lessons.

1. Create audit ready evidence

• Store policies and proof of controls.
• Track approvals for critical changes.

1. Prepare for registration

• Keep contact and ownership details current.
• Ensure you can prove scope and accountability quickly.

How AssetGPT helps you get NIS2 ready faster

AssetGPT is built for operational registration and governance. It helps you register the data that NIS2 expects, link it to evidence, and keep it usable during an incident or an audit.

Relate everything, without CMDB busywork

AssetGPT helps you track servers, applications, databases, certificates, network devices, and more as first class assets. You can link owners to systems, systems to dependencies, and incidents to affected assets. You stay in control of what the relationships mean.

For NIS2, this matters because your ability to respond and report depends on fast impact analysis. If you can answer "what depends on this" in seconds, you can respond faster and provide better evidence.

Governance, access control, and auditability

NIS2 requires proof. AssetGPT supports practical controls such as advanced roles and scoped access, plus auditability so you can answer "who changed what, and why". This helps when auditors, customers, or internal leadership ask for evidence.

ITSM that uses your asset relationships

AssetGPT includes incidents, changes, problems, requests, and knowledge management designed to work with your asset relationships. For NIS2 reporting, linking incidents to assets and dependencies helps you assess impact quickly and keep a clean history.

Knowledge and evidence, where you can find it

With an integrated knowledge base, you can turn internal runbooks into reusable solutions. In practice, this helps during audits and incident reviews because you can show process, ownership, and history.

Certificate management that connects to ownership

NIS2 readiness often fails on small but critical things that no one owns. Certificates are a good example. AssetGPT can store certificates as assets, relate them to servers and applications, and connect them to owners. This helps you prevent avoidable outages and show that ownership is clear.

Paid onboarding help, and automated migration away from TOPdesk

If you want to move quickly, we offer onboarding assistance for a fee. We can help you structure your asset model, relationships, and processes so you get to an audit ready baseline faster.

If you are migrating away from TOPdesk, we can assist in an automated move using their API. This reduces manual rework and helps you keep continuity while you improve your registration quality.

A clear path from assessment to action

AssetGPT is designed to move from evidence to action. Use it to register assets, attach proof, and generate clean reports for internal and external stakeholders. You can also build automation rules for approvals, notifications, and compliance tasks so the work stays consistent.

What to do next

1. Check whether you are in scope using the Dutch NIS2 self evaluation tool.
2. Inventory critical services, assets, and relationships.
3. Review incident response and reporting timelines.
4. Put governance and audit evidence in one place.

If you want to see how AssetGPT can help you do this quickly, book a demo for 0,00 euro. If you want to move faster, ask about onboarding help for a fee, including automated migration support away from TOPdesk.

Book your demo for 0,00 euro today.

---

Sources

• https://business.gov.nl/amendments/nis2-directive-protects-network-information-systems/
• https://www.nctv.nl/onderwerpen/c/cyberbeveiligingswet/vragen-en-antwoorden
• https://www.rdi.nl/onderwerpen/cyberveiligheid/cyberbeveiligingswet
• https://www.ncsc.nl/nieuws/zelf-evaluatie-nis2-gelanceerd
• https://samendigitaalveilig.nl/nis2-richtlijn/