Skip to content
eMotivz logo
Solutions

Microsoft 365 Modern Workplace

Secure, productive & always connected

Microsoft 365 management

Scans, projects & partial managed services

Microsoft Azure

Cloud infrastructure & management

Microsoft Copilot AI

Generative AI for your Microsoft 365 workplace

Virtual Desktops

Azure Virtual Desktop & Windows 365

Business Connectivity

Internet & Mobile for your organisation

Telephony Teams & Xelion

Calling via Microsoft Teams

Collaboration Devices

From headset to meeting board

All solutions→
About us

About us

Who we are and what drives us

Approach

How we work with our customers

Blog

Insights and news from eMotivz

Success storiesContact
Book a meeting
eMotivz logo
Success storiesContact
Book a meeting
NIS2ComplianceSecuritySMB

NIS2 and the Dutch SMB — are you obliged to comply?

NIS2 came into force in 2024, but the Dutch implementation is running behind. What does that mean for your SMB? Are you obliged to comply? And what should you be putting in place right now?

eMBy Ronald van Ackooij
·8 May 2026·8 min read

NIS2 — the second iteration of the European Network and Information Security Directive — has been formally in force since October 2024. In the Netherlands, it is being implemented through the Cyber Security Act (Cyberbeveiligingswet, Cbw), which is due to take effect during 2026. Yet many SMB owners are wrestling with the same questions: am I obliged to comply? What do I need to put in place? And if so, by when?

This article sets out what NIS2 means for SMBs in the Netherlands, which organisations do and do not fall within scope, and what you can do in practical terms.

What is NIS2 in a single paragraph?

NIS2 is a European directive that requires businesses and organisations in essential and important sectors to get their cyber security in order, to report incidents, and to demonstrate board-level accountability for digital risk. The directive replaces and broadens the old NIS1 directive from 2016, which affected only a handful of large organisations.

In the Netherlands, NIS2 is being brought into law through the Cyber Security Act — previously announced as the Network and Information Systems Security Act 2 (Wbni 2). At the time of writing, the legislation is still going through the parliamentary process; its entry into force has been postponed several times and is now expected in the second half of 2026. Keep an eye on the website of the National Cyber Security Centre for the latest status.

Which organisations fall under NIS2?

NIS2 distinguishes between two categories:

  • Essential entities — larger organisations (250+ employees or more than €50 million in turnover) in highly critical sectors: energy, drinking water, transport, healthcare, banking, digital infrastructure (cloud providers, data centres, DNS) and public administration.
  • Important entities — medium-sized organisations (50+ employees or more than €10 million in turnover) across a broader set of sectors: postal services, food production and distribution, chemicals, waste management, manufacturing of medical devices, IT service providers, online marketplaces and social networks.

What is often overlooked: the sector assessment looks not only at your own business, but also at what you do within that sector. An IT service provider with 60 employees falls under NIS2, even if its own IT environment is relatively simple.

My SMB falls outside NIS2 — can I sit back and relax?

No. And this is perhaps the single most important point in this article.

Even if your own organisation falls outside NIS2, it still affects you in three ways:

1. Your customers are subject to NIS2. Are you a supplier or service provider to an organisation that does fall under NIS2? Then that organisation has to get its supply chain in order. In practice, that means contractual requirements, questionnaires and audits. An SMB subcontractor in a NIS2 supply chain without MFA, without MDM and without logging will soon be a subcontractor no longer.

2. Your cyber insurer already demands it. Over the past two years, cyber insurers have tightened their requirements dramatically. MFA, endpoint protection, offsite backups, an up-to-date incident response plan — these are already hard policy requirements today. Anyone who fails to meet them either gets no cover at all or pays a premium that makes the policy economically pointless.

3. Directors' liability is growing. The Dutch implementation explicitly introduces board-level accountability. Even beyond the direct reach of NIS2, this changes the legal context: a managing director who cannot demonstrate that they have taken due care over cyber security runs a personal risk in the event of an incident.

What does NIS2 require in concrete terms?

The directive is deliberately written in technology-neutral language. Translated into practice, it comes down to ten control measures:

  1. Risk analysis and information security policy — not a one-off exercise, but maintained on an ongoing basis.
  2. Incident handling — a documented process, with a duty to report within 24 hours of discovery.
  3. Business continuity and backup management — tested backups, a failover strategy and a recovery plan.
  4. Supply chain security — requirements for suppliers, and contracts with information security clauses.
  5. Security in acquisition, development and maintenance — secure development practices and patch management.
  6. Policies and procedures for measuring effectiveness — measure whether it actually works.
  7. Basic cyber hygiene and training — regular awareness and training for employees.
  8. Cryptography — encryption at rest and in transit, and key management.
  9. Access control and identity management — where Microsoft Entra ID, Conditional Access and MFA come into play.
  10. Personnel security, asset management and access to facilities — physical and organisational security.

For an SMB of 30 to 100 employees, all of this is achievable — provided you build it into your IT foundation rather than buying it in as a series of separate bolt-ons.

The four practical steps we recommend

Step 1 — Establish whether you are in scope

Work through the NIS2 sector list and determine whether your organisation could qualify as an essential or important entity. Be honest about your customer base too: do you provide critical services to organisations that do fall under NIS2? If so, you are indirectly bound through the supply chain as well.

Step 2 — Carry out a gap analysis against the ten measures

Go through all ten control measures and assess where you stand today. For most SMBs, the pain points are number 2 (incident response), number 4 (supply chain) and number 6 (measuring effectiveness). The rest is largely covered already by a well-configured Microsoft 365 platform.

Step 3 — Make your Microsoft foundation NIS2-ready

A correctly configured Microsoft 365 tenant with Microsoft 365 Business Premium already covers the bulk of the technical measures:

  • Microsoft Entra ID + Conditional Access + MFA — access control and identity management
  • Microsoft Intune — device management, patching and compliance policies
  • Microsoft Defender for Business — endpoint protection, EDR and incident logging
  • Microsoft Purview — data classification, DLP and retention
  • Microsoft Sentinel or Defender XDR — security monitoring and incident detection

We set this up as standard for our SMB customers. The difference between a tenant that is NIS2-proof and one that is not lies not in the licence, but in how it is configured.

Step 4 — Document everything

Ultimately, NIS2 is a matter of being able to demonstrate compliance. Not being able to show that you have taken measures is, in practice, the same as not having taken any measures at all. Document:

  • Your information security policy
  • Incident procedures (who does what, for which type of incident)
  • Backup and recovery procedures, including test reports
  • Awareness training (who completed what, and when)
  • Supplier contracts with security clauses

For an SMB, this need not be a 200-page ring binder. A living Word or OneNote document of 20 to 30 pages, hosted in SharePoint and updated annually, is more than enough.

When should I start?

Today. Not because the law comes into force tomorrow — that is still some way off — but because:

  • Your cyber insurer already demands it
  • Your NIS2-bound customers will soon start asking for it
  • A security incident in the meantime will simply bring your business to a standstill

Anyone having to build a foundation from scratch is quickly looking at three to six months of implementation work. With eMotivz, that is not necessary. Our Microsoft 365 Modern Workplace is designed around our Built-in rather than Bolt-on principle: Conditional Access, MFA, Microsoft Entra ID, Microsoft Intune, Microsoft Defender for Business and the logging that NIS2 calls for are all included as standard — not as a separate module you buy on later.

With new customers, we find that in most cases this combination already covers 80% of the NIS2 requirements technically, from day one. The rest is documentation, training and a review cycle.

Frequently asked questions

Does NIS2 also apply to sole traders? No, individual entrepreneurs fall outside NIS2. But if, as a sole trader, you provide IT services to organisations that do fall within scope, your customer may still impose requirements on you through the supply chain.

Is ISO 27001 the same as NIS2? No, but the two overlap strongly. An organisation that is ISO 27001-certified will almost automatically meet the NIS2 control measures. The other way round: NIS2 compliance is not ISO 27001 (no external certification is required), but in practice the substance is comparable.

Who supervises compliance in the Netherlands? Supervision is assigned to the Minister of Justice and Security, with operational oversight by the Dutch Authority for Digital Infrastructure (RDI) and sector-specific regulators such as DNB for the financial sector. The National Cyber Security Centre (NCSC) is designated as the CSIRT (Computer Security Incident Response Team).

How does eMotivz help?

We configure Microsoft 365 environments for SMBs with NIS2 compliance as a design principle — not as an afterthought. For customers in the risk categories, we carry out periodic security scans and keep the documentation up to date together with you.

Would you like to know where your organisation stands in relation to NIS2? Book a no-obligation conversation or take a look at our Microsoft 365 Modern Workplace for the baseline setup we deliver as standard.

Back to blog
eMotivz — IT partner and specialist across Flevoland and central Netherlands

IT partner for SMBs and specialist for larger organisations across Flevoland and central Netherlands. MSP based in Lelystad.

Solutions
  • Modern Workplace
  • Microsoft 365
  • Microsoft Azure
  • Copilot
  • Virtual desktops
  • Telephony
  • Connectivity
  • Collaboration devices
Company
  • About
  • Approach
  • Blog
  • Customers
  • Contact
Legal
  • Privacy Policy
  • Cookie Statement
  • Terms & Conditions
© 2026 eMotivz B.V.KvK 92466990 · BTW NL866059568B01