NIS2: everything you need to know about the cybersecurity law and software procurement
NIS2 is the biggest European cybersecurity law in years. For organisations in critical sectors, a lot is changing, including in software procurement and supplier management. Here’s everything you need to know.
- January 15, 2025
- 5 min
- NIS2 – Cybersecurity Directive
The NIS2 Directive is the largest European cybersecurity law in years. It has a broad scope, strict enforcement, and is directly relevant to everyone responsible for software procurement within an organisation. Here’s what you need to know.
What is NIS2?
NIS2 stands for Network and Information Security Directive 2, the successor to the original NIS Directive from 2016. The directive requires organisations in critical sectors to structurally strengthen their digital resilience. NIS2 comes into effect across Europe on 17 October 2024. The Dutch implementation via the Cybersecurity Act is expected in Q2 2026.
Who does NIS2 apply to?
NIS2 applies to organisations in 18 critical sectors, divided into essential and important entities. Think of: energy, transport, healthcare, water, digital infrastructure, financial services, government, and more. But also suppliers of organisations in these sectors can indirectly fall under the law through the chain due diligence obligation.
What changes compared to NIS1?
The main changes:
Broader scope: Many more sectors and organisations now fall under the directive
Personal liability: Directors are responsible for compliance and can be held personally liable
Higher fines: Up to €10 million or 2% of global annual turnover for essential entities
Chain due diligence obligation: Organisations must also monitor the security of their suppliers
Incident notification obligation: Incidents must be reported to the CSIRT within 24 hours
What does NIS2 mean for software procurement?
The chain due diligence obligation is the most direct impact on software procurement. Organisations are required to:
Maintain an up-to-date overview of all ICT suppliers and software
Establish contractual security agreements with all relevant suppliers
Periodically assess the security of suppliers
Agree on incident escalation procedures with critical software suppliers
Without a structured software overview, NIS2 compliance is unfeasible. SoftVaro helps organisations create this overview as a starting point for compliance.
Frequently Asked Questions
The most asked questions about this topic.
What does NIS2 have to do with software procurement?
NIS2 requires organisations to maintain an up-to-date overview of all software and ICT suppliers, including contractual security agreements. Without this overview, you are not compliant.
When does NIS2 take effect in the Netherlands?
The Cybersecurity Act (Dutch implementation of NIS2) is expected in Q2 2026. Organisations must be immediately compliant once the law comes into effect.
What are the fines for non-compliance with NIS2?
Essential entities risk fines up to €10 million or 2% of global annual turnover. Important entities up to €7 million or 1.4% of annual turnover. Directors can be held personally liable.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.