NIS2: everything you need to know about the cybersecurity law and software procurement
NIS2 is the biggest European cybersecurity law in years. For organisations in critical sectors, many changes are coming, including in the area of software procurement and supplier management. This is everything you need to know.
- 15 January 2025
- 5 min
- NIS2 – Cyber Security Directive
The NIS2 Directive is the biggest European cybersecurity law in years. It has a broad scope, strict enforcement, and is directly relevant for everyone responsible for software procurement within an organisation. Here’s what you need to know.
What is NIS2?
NIS2 stands for Network and Information Security Directive 2, the successor to the original NIS Directive from 2016. The directive requires organisations in critical sectors to structurally strengthen their digital resilience. NIS2 comes into effect across Europe as of 17 October 2024. The Dutch implementation via the Cybersecurity Act is expected in Q2 2026.
Who does NIS2 apply to?
NIS2 applies to organisations in 18 critical sectors, divided into essential and important entities. Think energy, transport, healthcare, water, digital infrastructure, financial services, government, and more. Suppliers to organisations in these sectors may also be indirectly covered by the law through the supply chain due diligence obligation.
What changes compared to NIS1?
The key changes are:
Broader scope: Many more sectors and organisations now fall under the directive
Personal liability: Directors are responsible for compliance and can be held personally liable
Higher fines: Up to €10 million or 2% of global annual turnover for essential entities
Supply chain due diligence obligation: Organisations must also monitor the security of their suppliers
Reporting obligation: Incidents must be reported to the CSIRT within 24 hours
What does NIS2 mean for software procurement?
The supply chain due diligence obligation is the most direct impact on software procurement. Organisations are required to:
Keep an up-to-date overview of all ICT suppliers and software
Establish contractual security agreements with all relevant suppliers
Periodically assess the security of suppliers
Agree incident escalation procedures with critical software suppliers
Without a structured software overview, NIS2 compliance is not achievable. SoftVaro helps organisations create this overview as a starting point for compliance.
Frequently Asked Questions
The most commonly asked questions on this topic.
What does NIS2 have to do with software procurement?
NIS2 requires organisations to keep an up-to-date overview of all software and ICT suppliers, including contractual security agreements. Without this overview, you are not compliant.
When does NIS2 come into effect in the Netherlands?
The Cybersecurity Act (Dutch implementation of NIS2) is expected in Q2 2026. Organisations must be compliant immediately once the law enters into force.
What are the fines for non-compliance with NIS2?
Essential entities risk fines of up to €10 million or 2% of global annual turnover. Important entities up to €7 million or 1.4% of annual turnover. Directors can be held personally liable.
Ready to save on software?
SoftVaro negotiates the best deal for you with over 4,000 suppliers. Independent, transparent, within 24 hours.