EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

NIS2 duty of care: the security measures

Adopted 2026-06-29 · ≈ 2 min read · Dirk Baaijen

Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.

Short answer: Article 21 of Directive (EU) 2022/2555 (NIS2) requires essential and important entities to take appropriate and proportionate technical, operational and organisational measures to manage risks to their network and information systems. The measures are risk-based and grouped into ten concrete categories. The management body of the organisation bears ultimate responsibility and can be held liable for non-compliance.

Article 21(1) of the NIS2 Directive obliges Member States to ensure that essential and important entities adopt measures proportionate to the risk, taking into account the state of the art and implementation costs. The standard is not a uniform checklist but a risk analysis that each organisation carries out itself. Article 20 further provides that the management body of an entity must approve the security measures, oversee their implementation and can be held liable for infringements. Board members are therefore required to have, or to acquire through regular training, sufficient cybersecurity knowledge.

The ten measures under Article 21(2)

The Directive specifies the following mandatory categories, elaborated for Dutch implementation practice by the NCSC:

  1. Risk analysis and security policy — documented policy covering risk analysis of network and information systems.
  2. Incident handling — procedures for managing cybersecurity incidents.
  3. Business continuity — backup management, disaster recovery plans and crisis management.
  4. Supply chain security — security aspects of relationships with direct suppliers and service providers.
  5. Security in acquisition, development and maintenance — secure system procurement, development and upkeep, including patch management and vulnerability handling.
  6. Effectiveness assessment — policies and procedures for periodically testing the effectiveness of security controls.
  7. Cyber hygiene and training — basic digital hygiene practices and cybersecurity awareness training for staff.
  8. Cryptography and encryption — policies for cryptographic standards, encryption use and key management.
  9. Personnel, access and asset management — employee screening, access control and asset inventory.
  10. Multi-factor authentication — use of MFA or continuous authentication solutions and secure communication channels.

Proportionality and Dutch implementation

The measures are not one-size-fits-all: each organisation weighs its size, risk exposure and sector-specific factors. The Netherlands did not meet the EU transposition deadline of 17 October 2024. The Cyberbeveiligingswet bill was submitted to the Dutch House of Representatives in 2025 and is expected to enter into force during 2026. Organisations already falling within the directive's scope are expected to voluntarily comply with the obligations pending formal enactment.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
    Directive (EU) 2022/2555 (NIS2), Articles 20 and 21 — security obligations and management accountability
  2. https://www.ncsc.nl/cyberbeveiligingswet-nis2/bereid-je-vor/zorgplicht
    NCSC Netherlands — explanation of the ten duty-of-care measures per article subparagraph
  3. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission — NIS2 policy page, transposition deadline and scope
  4. https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/cyberbeveiligingswet/verplichtingen-cyberbeveiligingswet/
    Digitale Overheid — obligations under the Dutch Cyberbeveiligingswet, proportionality and management responsibility

Share on LinkedIn

Read next

U

Does my ISO 27001 certification cover the NIS2 duty of care?

ISO 27001 covers much of the NIS2 risk-management measures, but is not automatic compliance. Incident reporting, management accountability, supply-chain risk and registration must be addressed separately.

U

My client is in scope of NIS2 and asks me for measures — is that required?

NIS2 requires in-scope organisations to manage supply-chain risk. As a supplier you usually do not fall under the law yourself, but your client may pass requirements on by contract; refusing can mean losing the contract.

U

NIS2 and board accountability: what must management do?

Under NIS2 the management body must approve the cybersecurity measures, oversee their implementation, undergo mandatory training, and can be held liable for breaches of these duties.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.