What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

NIS2 transposition across European member states

The NIS2 directive (Network and Information Security 2) is the EU framework that obliges Member States to impose cybersecurity requirements on essential and important entities across sectors such as energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration and space. The directive entered into force on 17 January 2023, with a transposition deadline of 18 October 2024. Each Member State has implemented NIS2 through its own national law, with its own competent authority, thresholds and enforcement style. This article gives a European overview and points to the national articles for each country.

Why NIS2 was introduced at EU level

NIS1, adopted in 2016, was the first EU-wide cybersecurity directive. It covered only a limited number of "operators of essential services" and "digital service providers" and left wide discretion to Member States, leading to fragmented implementation and uneven supervision. After several years of operation it became clear that the scope was too narrow, sanctions too weak, and management accountability largely absent.

NIS2 addresses these gaps in three main ways. First, it expands scope geographically and sectorally, covering tens of thousands of organisations across the EU rather than a few thousand. Second, it harmonises minimum requirements for risk management, incident reporting and supervision. Third, it introduces direct accountability of management bodies, who must approve risk management measures, oversee their implementation and undergo cybersecurity training themselves.

NIS2 is a directive, not a regulation, which means it sets a minimum baseline and Member States transpose it into national law. National laws may go further than the directive in specific areas, for example by adding sectors, lowering thresholds or strengthening supervisory powers.

How transposition works across Member States

Each Member State has adopted its own national NIS2 law, with its own naming, scope details and competent authorities. The European Union Agency for Cybersecurity (ENISA) acts as the EU-level coordinator: it supports Member States, publishes guidance, maintains the EU CSIRTs network and contributes to harmonised interpretation, but it is not the enforcer in any individual country.

Because NIS2 is a minimum-harmonisation directive, organisations active in multiple Member States must comply with each national law that applies to them. The main-establishment rule of Article 26 designates the national law of the Member State where the organisation has its main establishment as the primary regime for most digital infrastructure and digital service providers, while sectoral activities in other Member States may trigger additional obligations there.

In practice this means a multinational organisation typically has a "lead" national law (where its EU headquarters or main establishment is) and one or more "secondary" national laws covering its operations in other Member States. Mapping these dependencies early is essential for compliance planning.

National transposition examples (selected EU countries)

The following overview lists the national NIS2 transposition for several EU countries. Each national law is the binding text for organisations established in that country; the EU directive serves only as interpretation aid.

Netherlands: the Cyberbeveiligingswet (Cbw), supervised through sector-specific regulators (IGJ for healthcare, DNB for finance, RDI for digital infrastructure).
Belgium: the NIS2 Act of 26 April 2024, supervised centrally by the Centre for Cybersecurity Belgium (CCB) with sectoral authorities in support.
Germany: the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), amending the BSI Act (BSIG), with the Federal Office for Information Security (BSI) as central authority.
Austria: the Netz- und Informationssystemsicherheitsgesetz 2024 (NISG 2024), coordinated by the Federal Ministry of the Interior (BMI) together with sectoral regulators.
France: a transposition law adopted in 2024-2025, adapting the existing cybersecurity framework, with ANSSI as the central authority and sectoral regulators (ACPR, ARCEP, ASN) in their respective domains.
Spain: a Real Decreto-ley finalised in 2024-2025, together with the updated National Security Framework (ENS, Royal Decree 311/2022), with CCN-CERT and INCIBE-CERT as primary CSIRTs.

Common obligations across all transpositions

Although the national laws differ in detail, the core obligations are common across all NIS2 transpositions:

Risk management. Proportionate technical and organisational measures: risk analysis, incident handling, business continuity, supply chain security, vulnerability management, cryptography, access control, multi-factor authentication and staff training.
Incident reporting. Significant incidents must be reported in three phases: early warning within 24 hours, intermediate report within 72 hours, final report within one month. Each Member State designates one or more CSIRTs as the reporting channel.
Board accountability. Management bodies must approve risk management measures, oversee implementation and complete cybersecurity training themselves. They may be held personally liable for serious breaches.
Supervision and sanctions. Competent authorities have powers of inspection, binding instructions, audit orders and, in serious cases, temporary suspension of management functions.

Sanctions framework

The EU-wide maximum sanctions are €10 million or 2% of global annual turnover for essential entities (whichever is higher) and €7 million or 1.4% for important entities. National laws apply these ceilings but may add specific aggravating factors, supplementary measures or procedural rules.

In the first 12 to 18 months after entry into force, most competent authorities are expected to apply a graduated approach, focusing on demonstrable progress rather than maximum fines. The board training obligation, however, is enforceable from day one because it is easy to verify.

Beware national variations: some Member States impose stricter rules in specific sectors, additional certification requirements, or stronger personal liability regimes for board members. Always check the national transposition law and the guidance of the competent authority in each country where you operate.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

When does NIS2 apply?

The NIS2 directive entered into force on 17 January 2023, with a transposition deadline of 18 October 2024. National transposition laws have been adopted in stages during 2024-2025, with most obligations fully applicable from 2025. Some Member States are still finalising sectoral implementing rules.

How do I know which national law applies to me?

In general, the national law of the Member State where you have your main establishment applies. For digital infrastructure and digital service providers, Article 26 of NIS2 sets a specific main-establishment rule. For sectoral activities (energy, healthcare, transport) you may also be subject to national obligations in each Member State where you operate.

What if I operate cross-border in the EU?

You typically have a primary national regime (where your main establishment sits) and one or more secondary regimes covering your activities in other Member States. Sectoral regulators in each country retain their own powers. We recommend mapping these dependencies and clarifying competent authorities early in your compliance programme.

How does NIS2 relate to GDPR?

GDPR and NIS2 overlap but protect different interests. GDPR covers personal data; NIS2 covers the security of network and information systems generally. A single cyber incident can trigger both notification obligations, to the data protection authority and to the NIS2 CSIRT. An integrated compliance programme handles both regimes in a coordinated way.

Where do I start?

Three steps: (1) determine which national NIS2 law(s) apply, your classification (essential or important entity) and assign an accountable board member; (2) run a gap analysis against risk management, incident reporting and governance obligations; (3) build an implementation plan, prioritising board training (enforced immediately) and the technical and organisational measures.

Which authority enforces NIS2?

There is no single EU enforcer. Each Member State designates one or more competent authorities, typically a national CSIRT together with sector-specific regulators. ENISA coordinates at EU level but does not directly enforce against organisations. Always identify the competent national authorities for each country and sector where you operate.