NIS2: everything you need to know about the cybersecurity law and software procurement
NIS2 is the biggest European cybersecurity law in years. For organisations in critical sectors, a lot is changing, including in the area of software procurement and supplier management. This is everything you need to know.
- January 15, 2025
- 5 min
- NIS2 – Cybersecurity Directive
The NIS2 Directive is the biggest European cybersecurity law in years. It has a broad scope, strict enforcement, and is directly relevant for anyone responsible for software procurement in an organisation. Here’s what you need to know.
What is NIS2?
NIS2 stands for Network and Information Security Directive 2, the successor to the original NIS Directive from 2016. The directive requires organisations in critical sectors to structurally strengthen their digital resilience. NIS2 comes into effect across Europe on 17 October 2024. The Dutch implementation via the Cybersecurity Act is expected in Q2 2026.
Who does NIS2 apply to?
NIS2 applies to organisations in 18 critical sectors, divided into essential and important entities. Think of: energy, transport, healthcare, water, digital infrastructure, financial services, government, and more. But suppliers to organisations in these sectors can also fall indirectly under the law through the supply chain due diligence obligation.
What changes compared to NIS1?
The main changes are:
Broader scope: Many more sectors and organisations are now covered by the directive
Personal liability: Directors are responsible for compliance and can be held personally liable
Higher fines: Up to €10 million or 2% of global annual turnover for essential entities
Supply chain due diligence obligation: Organisations must also monitor the security of their suppliers
Notification obligation: Incidents must be reported to the CSIRT within 24 hours
What does NIS2 mean for software procurement?
The supply chain due diligence obligation has the most direct impact on software procurement. Organisations are required to:
Keep an up-to-date overview of all ICT suppliers and software
Establish contractual security agreements with all relevant suppliers
Periodically assess the security of suppliers
Agree on incident escalation procedures with critical software suppliers
Without a structured software overview, NIS2 compliance is unattainable. SoftVaro helps organisations create this overview as a starting point for compliance.
Frequently Asked Questions
The most common questions about this topic.
What does NIS2 have to do with software procurement?
NIS2 requires organisations to keep an up-to-date overview of all software and ICT suppliers, including contractual security agreements. Without this overview, you are not compliant.
When will NIS2 come into effect in the Netherlands?
The Cybersecurity Act (Dutch implementation of NIS2) is expected in Q2 2026. Organisations must be immediately compliant once the law takes effect.
What are the fines for non-compliance with NIS2?
Essential entities risk fines up to €10 million or 2% of global annual turnover. Important entities up to €7 million or 1.4% of turnover. Directors can be held personally liable.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.