NIS2: everything you need to know about the cybersecurity law and software procurement
NIS2 is the largest European cybersecurity law in years. For organisations in critical sectors, many changes are coming, including in software procurement and supplier management. Here’s everything you need to know.
- 15 January 2025
- 5 min
- NIS2 – Cybersecurity Directive
The NIS2 Directive is the largest European cybersecurity law in years. It has a broad scope, strict enforcement, and is directly relevant to anyone responsible for software procurement within an organisation. Here’s what you need to know.
What is NIS2?
NIS2 stands for Network and Information Security Directive 2, the successor to the original NIS Directive from 2016. The directive requires organisations in critical sectors to structurally strengthen their digital resilience. NIS2 will take effect across Europe on 17 October 2024. The Dutch implementation through the Cybersecurity Act is expected in Q2 2026.
Who does NIS2 apply to?
NIS2 applies to organisations across 18 critical sectors, divided into essential and important entities. Think of: energy, transport, healthcare, water, digital infrastructure, financial services, government and more. Suppliers to organisations in these sectors may also indirectly fall under the law due to the supply chain duty of care.
What changes compared to NIS1?
The key changes:
Broader scope: Many more sectors and organisations are now covered by the directive
Personal liability: Directors are responsible for compliance and can be held personally accountable
Higher fines: Up to €10 million or 2% of global annual turnover for essential entities
Supply chain duty of care: Organisations must also check the security of their suppliers
Incident reporting obligation: Incidents must be reported to the CSIRT within 24 hours
What does NIS2 mean for software procurement?
The supply chain duty of care has the most direct impact on software procurement. Organisations are required to:
Maintain an up-to-date overview of all ICT suppliers and software
Make contractual security agreements with all relevant suppliers
Regularly assess the security of suppliers
Agree on incident escalation procedures with critical software suppliers
Without a structured software overview, NIS2 compliance is unachievable. SoftVaro helps organisations create this overview as a starting point for compliance.
Frequently Asked Questions
The most commonly asked questions on this topic.
What does NIS2 have to do with software procurement?
NIS2 requires organisations to maintain an up-to-date overview of all software and ICT suppliers, including contractual security agreements. Without this overview, you are not compliant.
When does NIS2 come into force in the Netherlands?
The Cybersecurity Act (Dutch implementation of NIS2) is expected in Q2 2026. Organisations must be compliant as soon as the law takes effect.
What are the fines for non-compliance with NIS2?
Essential entities risk fines of up to €10 million or 2% of global annual turnover. Important entities up to €7 million or 1.4% of turnover. Directors can be held personally liable.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.