Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

Comply with law and legislation

Cybersecurity Act (NIS2)

NIS2 (Network and Information Security 2) is the updated EU directive on cybersecurity, replacing the original NIS directive from 2016. The NIS2 directive has been established to raise the level of cybersecurity among providers of essential and important services, mitigate risks to network and information systems, and ensure the continuity of these services as effectively as possible.

“With the introduction of NIS2, cybersecurity is no longer a choice but a legal obligation. It is essential for organizations to strengthen their digital resilience now in order to avoid fines and reputational damage.”

Tim Kemper
Consultant

Wy NIS2?

The NIS2 directive applies to organizations in sectors that meet the requirements regarding the number of employees or turnover/balance sheet total. A distinction is made between “essential entities” and “important entities.” The NIS2 directive applies to sectors that were already covered by the original NIS directive, as well as several new sectors. Additionally, NIS2 places a strong focus on the supply chain partners of these sectors with whom they exchange information.

Providers of essential and important services, as well as digital service providers, are required to take measures to secure their supply chains. This includes assessing the security measures of their suppliers and taking appropriate actions to ensure that the products and services provided meet security requirements.

The NIS2 directive obliges essential and important entities to ensure the security of their supply chains, which means that suppliers must demonstrate that their digital security is in order.

Supply Chain Responsibility

Essential and important entities falling under the NIS2 directive are held responsible for the security of their supply chain. This means they must assess the risks posed by their suppliers and service providers and take appropriate measures to ensure the security of the entire chain. Naturally, this only applies to parties in the supply chain that deliver digital services or products and/or have access to the entity’s network or information systems. ENISA (the European Union Agency for Cybersecurity) has defined the following types of ICT suppliers:

– Manufacturers (hardware suppliers)
– System integrators
– ICT service management providers (MS(S)Ps)
– Digital service providers (SaaS, PaaS, IaaS)
– Third parties with access to networks or systems (including contractors)

The NIS2 directive (transposed in national law as the WBNI) is therefore not directly applicable to supply chain partners—unless they themselves are classified as essential or important entities. However, they can expect to receive questions regarding the information security measures they have in place.
Even though supply chain partners are not directly subject to NIS2, it is wise to proactively improve their information security—such as by implementing an ISO 27001-certified ISMS (Information Security Management System).
This not only supports compliance with customer requirements but also increases resilience against cyber threats.

Using ISO 27001 to comply with NIS2

For both entities directly subject to NIS2 and their supply chain partners, implementing a certified Information Security Management System (ISMS) is a crucial step. ISO 27001 certification helps organizations demonstrate that their information security is systematically structured and that risks are effectively managed. With the introduction of NIS2, this has become even more important, as essential and important entities are required to implement security measures and manage risks within their supply chains.

For supply chain partners as well, setting up a certified ISMS is a highly recommended measure. The certification provides a clear way to show that information security is properly managed and that risks are mitigated—something that is increasingly important to critical and important entities under NIS2. Presenting an ISO 27001 certificate can significantly reduce the number of specific security questionnaires and supplier audits.

However, the ISO 27001 controls you have implemented may not be sufficient by themselves to fully meet the NIS2 requirements. Therefore, it is crucial to consider all relevant regulations during ISMS implementation and explicitly include them in the scope. Additionally, any products or services you provide (and the necessary processes behind them) must also be part of the ISMS scope.
By starting now with the development, implementation, and continuous improvement of an ISO 27001-certified ISMS, you ensure that your organization is prepared for NIS2 and more resilient against cyber threats.kst

Is your organisation not yet compliant with the Cybersecurity Act?

By starting now with the setup, implementation, and continuous improvement of an ISO 27001-certified ISMS, you ensure that your organization is prepared for NIS2 and more resilient against cyber threats.

Why organisations choose Protify

With years of experience in the information security sector, we understand exactly what’s involved in certification and the implementation of sector-specific standards. We have supported various organisations and know the practicalities like no other. Our expertise not only helps you achieve certification but also supports structural improvement of business processes.

At Protify, we believe in a personal approach. Our consultants take the time to understand your organisation, recognise your challenges, and work closely with you to deliver the best solutions. No generic advice, but genuine involvement and tailored guidance – ensuring you always have expert support at your side.

Standards and sector-specific assessment guidelines don’t have to be complicated. We translate complex requirements into clear, actionable steps that align with expectations. That way, you know exactly what is needed and benefit from a practical, effective management system that not only complies with standards but also adds real value to your organisation.

No two organisations are the same – and we fully understand that. That’s why we don’t offer one-size-fits-all solutions. We focus on what your organisation truly needs. Whether it’s business goals, processes, risks, or the implementation of controls, we provide an approach that fits your way of working and ambitions.

Ready to get started?

Well-structured compliance builds trust with clients and partners. Want to get started with compliance? Get in touch with us for a no-obligation introductory meeting.

Start now