Blog

NIS2 for the public sector: what to do right now

NIS2 for government is no longer a distant concern: the Dutch Cybersecurity Act is on its way and directly affects municipalities, provinces, water authorities and public agencies. With NIS2 for municipalities and other public bodies, the question is not whether you must act, but what you can start on now without waiting for the final legal text. In this article we translate NIS2 implementation for the public sector into concrete steps.

What is NIS2 and why does it affect government?

NIS2 is the European directive on network and information security that replaces the original NIS directive. In the Netherlands it is being transposed into the Cybersecurity Act (Cyberbeveiligingswet, Cbw). The directive widens the scope considerably: where the rules previously applied mainly to critical providers, far more organisations now fall under the regime — including a large part of the public sector.

For the public sector this means central government, provinces and — depending on the final designation — municipalities and water authorities may be classed as in-scope entities. The essence: you must demonstrably take appropriate technical and organisational measures, report incidents on time and, crucially and new, the executive level is responsible for overseeing this and can be held to account.

Duty of care, reporting duty and executive responsibility

NIS2 rests on three pillars. The duty of care requires a risk-based approach with measures across ten areas, including risk analysis, incident handling, business continuity and back-ups, supply-chain security, access management and security training.

The reporting duty is strict: a significant incident must be reported within 24 hours as an early warning, followed by a fuller notification within 72 hours and a final report within a month. Finally, active supervision arrives with the option of substantial fines. For executives this means cybersecurity becomes a standing item at board and executive level, not something you delegate entirely to the IT department.

BIO, ENSIA and NIS2: build on what you already have

The good news for government: you are not starting from scratch. Many NIS2 measures overlap with the Dutch Baseline Information Security Government (BIO) and the ENSIA accountability process municipalities already run annually. If you have implemented the BIO seriously, much of the foundation is already in place.

The new BIO2 aligns even more closely with the NIS2 requirements. Our practical tip: map the ten NIS2 duty-of-care themes against your existing BIO measures and ENSIA accountability. That shows at a glance where you already comply and where the real gaps are — typically around supply-chain security, incident detection and executive involvement.

Five steps you can take right now

Waiting for the final legal text is not a strategy. These five steps deliver value immediately and are not wasted effort, whatever the precise shape of the Cbw. Step 1: determine whether and how your organisation falls under NIS2 (essential or important entity) and document it. Step 2: run a gap analysis against the ten duty-of-care themes, using the BIO as your starting point.

Step 3: set up your incident-reporting process so you can actually meet the 24-hour deadline — including who may report in evenings and at weekends. Step 4: map your suppliers and chain partners and embed security agreements in contracts and tenders. Step 5: put NIS2 on the agenda of the executive board and assign responsibility explicitly, because the leadership will carry it themselves.

Mind your chain: suppliers and procurement

One of the most underestimated parts of NIS2 is supply-chain security. Many public-sector incidents originate not within the organisation itself, but at a software supplier or chain partner. NIS2 expects you to actively manage risks across your chain.

In practice this means anchoring security requirements in your procurement and tendering process. Organisations that tender using Best Value or a comparable method can include information security as an award criterion and a performance commitment, rather than as a tick-box exercise after the fact. That makes the supplier a co-owner of your cyber resilience.

Keep it manageable: start with a baseline measurement

The biggest pitfall is paralysis caused by the sheer scope of NIS2. The advice we give public bodies: break it down and start with a sober baseline measurement. Not to produce a thick report, but to know within a few weeks where you stand and which three to five actions remove the most risk.

A maturity scan across dimensions such as governance, risk management, incident response, supply-chain security and — indispensable in 2026 — AI governance gives the board and CISO a shared starting point. From that picture you build a realistic roadmap towards the Cbw, without panic and without duplicated work.

Ready to tackle NIS2? We will help you get started

NIS2 for the public sector is entirely manageable if you take it step by step and build on BIO and ENSIA. The gain lies in starting early: a baseline measurement and a clear roadmap prevent you from having to scramble later under time pressure and at higher cost.

We combine information security (BIO, ENSIA, NIS2), Best Value procurement and AI governance with hands-on public-sector experience. Want to know where your organisation stands? Take our free maturity scan or request a no-obligation second opinion. Our fixed-price starter vouchers let you take the first step quickly and without surprises. Feel free to get in touch for an introductory conversation.