Privacy by Design Under NIS2: What Dutch Organisations Must Prepare For

The Network and Information Security Directive 2 (NIS2) entered into force across EU member states in October 2024, significantly expanding both the scope of organisations covered and the obligations imposed on them. For the Netherlands, this means thousands of organisations that were previously outside the scope of formal cyber security regulation must now meet binding requirements — or face substantial penalties.

This article is a practical overview of what NIS2 means for Dutch organisations, how it intersects with existing GDPR obligations, and the steps that should be underway now.

Who NIS2 Applies To

The original NIS Directive applied to a relatively narrow set of “operators of essential services.” NIS2 is dramatically broader. Dutch organisations in the following sectors are covered:

Essential entities (highest obligations):

Energy (electricity, gas, oil, district heating)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, pharmaceutical manufacturers, medical device makers)
Drinking water and wastewater
Digital infrastructure (internet exchange points, DNS, TLD registries, cloud providers, datacentres)
Central government

Important entities (substantial obligations):

Postal and courier services
Waste management
Chemical manufacturing
Food production and distribution
Manufacturing of critical products (medical devices, electronics, machinery)
Digital providers (online marketplaces, search engines, social networks)
Research organisations

The size thresholds — generally 50+ employees or €10M+ annual turnover — mean many mid-sized Dutch organisations are in scope for the first time.

What NIS2 Actually Requires

The directive mandates a risk-based approach to cyber security, with minimum measures that all covered organisations must implement. These include:

Risk analysis and information system security policies — Documented risk assessments and corresponding security policies are mandatory. These are not one-time exercises; they must be maintained and updated as your risk environment changes.

Incident handling — Covered organisations must have documented incident response procedures and must report significant incidents to the relevant authority (in the Netherlands, the NCSC or sector-specific body) within 24 hours of becoming aware, with a full report within 72 hours.

Business continuity and crisis management — Backup management, disaster recovery, and crisis management procedures must be documented and tested.

Supply chain security — This is one of the more demanding elements of NIS2. Organisations must assess and manage the cyber security risks posed by their suppliers and service providers. A secure organisation with insecure suppliers is no longer compliant.

Security in network and information systems acquisition, development, and maintenance — Security requirements must be embedded in procurement and development processes.

Policies on the use of cryptography and encryption — Documented encryption policies and appropriate use of cryptography for data in transit and at rest.

Human resources security, access control, and asset management — These are standard security controls, but NIS2 requires them to be formally documented and verifiable.

Multi-factor authentication — MFA is explicitly required for access to sensitive systems.

Many organisations treat NIS2 and GDPR as separate compliance programmes. This is inefficient and leads to duplication. The relationship between the two is:

Shared foundation — Both directives require a risk-based approach, documented policies, and appropriate technical and organisational measures. The risk assessment required by NIS2 and the security requirements of GDPR Article 32 cover significant common ground.

Incident reporting differences — GDPR requires reporting personal data breaches to the AP (Autoriteit Persoonsgegevens) within 72 hours. NIS2 requires reporting significant cyber incidents to sector authorities within 24 hours (initial notification) and 72 hours (full report). These are different obligations to potentially different authorities, but they often arise from the same incident. Your incident response procedures must handle both reporting paths.

Supply chain — GDPR’s processor agreements (Article 28) and NIS2’s supply chain security requirements overlap. A unified supplier security programme that satisfies both is more efficient than two separate frameworks.

The most effective approach is to treat NIS2 as adding operational security requirements on top of an existing GDPR compliance foundation — not as a completely separate programme.

Privacy by Design as NIS2 Compliance

The “privacy by design” principle from GDPR Article 25 translates directly into NIS2 compliance. When security and privacy requirements are embedded into systems and processes from the design stage, rather than retrofitted, the result is:

Lower remediation costs (fixing security architecture flaws after deployment is significantly more expensive than building them in)
More coherent documentation (design-stage security decisions are easier to document and audit)
Genuine supply chain compliance (security requirements can be included in procurement specifications rather than assessed after the fact)

For organisations implementing NIS2 compliance programmes, the privacy by design methodology provides a structured approach to the “security in acquisition, development, and maintenance” requirement.

Practical Steps for Dutch Organisations

Determine whether you are in scope — The NCSC has published guidance on sector definitions and size thresholds. Many organisations are uncertain about their status; this should be resolved before anything else.

Conduct a gap analysis against the NIS2 requirements — Assess your current security posture against each of the mandatory measures. This does not need to be exhaustive initially; identify the most significant gaps and prioritise them.

Establish or review your incident response procedures — The 24-hour notification requirement is one of the most operationally challenging aspects of NIS2 for organisations without a mature incident response process. Start here.

Audit your supply chain — Map your critical suppliers and service providers. For each, assess whether you have visibility into their security practices and whether your contracts include appropriate security requirements.

Appoint accountability — NIS2 explicitly requires management-level accountability for cyber security. The directive includes provisions for holding senior management personally liable for serious breaches. This is a significant escalation from previous EU cyber security rules.

Document everything — Regulators assessing NIS2 compliance will require evidence of your risk assessments, policies, procedures, and incident handling. Documentation that exists only in people’s heads does not satisfy the directive.

The Timeline and Enforcement Reality

The Netherlands transposed NIS2 into national law through the Wet beveiliging netwerk- en informatiesystemen (WBNI). The NCSC and sector-specific authorities have begun supervisory activities, with formal enforcement expected to intensify through 2025 and 2026.

Penalties under NIS2 are significant: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. The enforcement trajectory follows the pattern of GDPR: initial focus on large organisations and egregious non-compliance, expanding over time.

The organisations that will navigate this most effectively are those that treat NIS2 compliance as a security improvement programme — not a documentation exercise. The requirements are real and the underlying threats are real. Compliance and security posture improvement are the same work, done well.