On the eve of 2026, cybersecurity is an indispensable priority for organizations, regardless of sector or size. The emergence of new digital threats, the use of artificial intelligence for both attacks and protection, and the increasingly extensive European regulatory landscape require organizations to thoroughly and sustainably strengthen their digital resilience. The focus is not exclusively on technological solutions; legislators and society are imposing stricter requirements in the areas of organization, compliance with legislation, and contractual agreements. This means that responsibility for cybersecurity is increasingly falling to corporate lawyers.
In the previous decade, the European Commission launched its digital strategy under the motto "A Europe fit for the Digital Age." Among other things, this strategy involved devising a comprehensive package of legislation and regulations to strengthen Europe's digital resilience. This package includes NIS2, DORA, CRA, AI Act, and the Data Act. Together, these laws form an integrated and interconnected framework that aims to make the European digital space safer, more reliable, and future-proof. Whereas previous regulations were often more reactive in nature, the new policy focuses explicitly on prevention, transparency, and cooperation between public and private actors. In December 2025, the European Commission took a further step in this direction with its proposal for a Digital Omnibus Regulation.
NIS2 occupies a key position within this framework.[1]NIS2 is currently being implemented in national legislation. In the Netherlands, this is being done through the Cybersecurity Act (Cbw), for which the proposal was sent to the House of Representatives in the summer of 2025. The Cbw will have various underlying laws and regulations, including the Cybersecurity Decree (Cbb) with details of the duty of care, registration requirement, and training requirement for directors, as well as ministerial regulations. The Cbw is currently expected to come into force in the second quarter of 2026, replacing the Network and Information Systems Security Act (Wbni).
Although the obligations laid down in NIS2 will only formally apply once the Cbw comes into force, organizations would be wise to take action now. After all, the coming period will be dominated by preparation and implementation. The law introduces a number of specific obligations, such as conducting risk analyses, reviewing governance structures, and contractually defining responsibilities towards suppliers and customers.
In addition, various sectors may face additional, sector-specific requirements, depending on the nature of their services and the extent of their social impact. Organizations that are active in multiple sectors or are part of an international group may therefore face multiple sets of obligations.
An important part of NIS2 is the definition of its scope and the obligations that apply within it. Depending on the sector (Annex I or II) and the size of the organization, the directive distinguishes between essential and important entities. In practice, this distinction is mainly reflected in the supervisory regime, which is more extensive for essential entities than for important entities. For entities operating in specific digital sectors, the duty of care and reporting obligation are further specified in the Implementing Regulation (EUR) 2024/2690.
It is crucial for corporate lawyers to start by determining which sector(s) their organization falls under. After all, an entity or group of entities may provide different services and therefore fall under multiple regimes at the same time. It is important to look at the service objectively and not to assume which sector the organization intends to fall under. The actual activities are decisive.
Complex business models
For group entities, this exercise can become quite complex, especially when the jurisdiction must then be determined. NIS2 stipulates as a general rule that an entity falls under the jurisdiction of the Member State in which it is established. However, there is an exception to this general rule in the case of—in short—digital service providers. These fall under the jurisdiction of their head office. To determine the main establishment, NIS2 provides a step-by-step plan to identify the correct entity. Given the complexity that this can entail in practice, the National Coordinator for Security and Counterterrorism (NCTV) has drawn up a'Guide to complex business models'to support organizations in this assessment.
Duty of care in the chain
The obligations arising from NIS2 do not only apply to designated essential and important entities; they also affect the broader chain of suppliers, service providers, and customers of these organizations. The so-called chain of responsibility—the obligation to pass on security measures contractually—also indirectly obliges these parties to take appropriate security measures and make clear agreements about information security, audit capabilities, incident reporting, and data integrity. This means that existing contracts must be revised and that closer cooperation is needed between all parties involved. Each party within the chain must determine its own role, identify the relevant risks, and respond to future obligations in a timely manner.
The duty of care is at the heart of NIS2 and essentially obliges organizations to have security measures in place. These security measures consist of appropriate and proportionate technical, operational, and organizational measures to manage the security risks of their network and information systems. The aim is not only to prevent incidents, but also to minimize the impact on customers and other stakeholders as much as possible if an incident does occur.
These obligations include drawing up policies for risk analysis and information system security, establishing procedures for handling incidents, and taking measures to guarantee the security of the supply chain. Further regulations will specify the specific requirements that these measures must meet, so that organizations have sufficient guidance to fulfill their responsibilities.
In order to determine whether a measure is appropriate, the entity must be able to substantiate that this measure actually contributes to controlling the risks relevant to it. In doing so, the effectiveness and proportionality of the measure are taken into account. Effectiveness refers to the suitability of the measure for controlling the risk in question. This can be derived from European standards, the state of the art, and the results of the risk analysis carried out by the entity. Proportionality relates to the relationship between the measure and the nature and severity of the risk, the likelihood of incidents and their potential social and economic consequences. The size of the entity and any adverse effects of the measure, such as disruption of critical processes, also play a role in this regard.
An important innovation is the power granted to sectoral ministers in the Cbb to prohibit the use of certain suppliers or technologies. If this power is indeed retained in the adopted legislation, organizations must be prepared for this. This can be done, among other things, by including substitution and exit clauses in contracts, so that in the event of such a ban, the switch can be made in a timely and controlled manner.
Finally, cybersecurity is explicitly becoming an administrative responsibility: the administration must approve risk management measures, supervise their implementation, and have sufficient knowledge and expertise, through demonstrable education and training.
Whereas the duty of care focuses on preventing and mitigating risks, NIS2 also requires organizations to report any significant incidents that do occur. This must be done in a timely manner, both to the Computer Security Incident Response Team (CSIRT) and to the competent supervisory authority for the sector concerned.
For the Netherlands, the National Cyber Security Center (NCSC) is, in principle, the CSIRT. However, depending on the sector, a different CSIRT may be designated. For example, there are specialized teams such as Z-CERT for the healthcare sector, the IBD for municipalities, and CERT-Watermanagement for water boards.
NIS2 only describes in general terms when an incident is considered significant. According to this definition, this is the case when an incident could lead to (i) a serious disruption of services, (ii) significant financial losses for the entity concerned, or (iii) harm to other persons (natural or legal persons) by causing substantial material or immaterial damage. This also includes incidents whose consequences are not yet visible but may occur and must therefore still be reported.
Sector-specific measures can be further developed in the event of a significant incident. In the Implementing Regulation, for example, an incident is considered significant if trade secrets are leaked or there is a risk of this happening, or if there is successful, suspected malicious, and unauthorized access to network and information systems that could lead to serious operational disruptions. The sector-specific criteria must be evaluated at least every four years. There is also a short reporting deadline than many organizations are used to, namely within 24 hours of becoming aware of the significant incident. This is followed by a strict process with fixed deadlines and requirements for the provision of information. In some cases, the Netherlands even goes further than NIS2 prescribes. Organizations with entities in multiple countries should therefore be aware that reporting requirements may differ from jurisdiction to jurisdiction.
For corporate lawyers, this means that incident playbooks, decision-making procedures, and communication guidelines may need to be adapted to the new Dutch requirements and, where applicable, to requirements in other jurisdictions. Good preparation is essential; given the short reporting deadline, you don't want to have to first determine the requirements for each jurisdiction.
In addition to reporting to the CSIRT and the supervisory authority, entities are also required to inform service customers about significant incidents that could have an adverse impact on service provision.
NIS2 requires corporate lawyers to take a proactive approach: by identifying risks now, tightening contracts, and optimizing internal decision-making processes, they increase their organization's digital resilience and minimize the impact of incidents. Only by linking legislation, policy, and practice can a future-proof cybersecurity approach be created, in which corporate lawyers play an indispensable role in protecting critical processes and complying with stricter reporting and notification requirements. Don't wait, take the initiative and prepare your organization for the new challenges that cyber legislation brings.
