What Is NIS2 and How Is It Different from the GDPR?
The NIS2 Directive (Network and Information Security) is the successor to the original NIS1 Directive. While the GDPR focuses on protecting personal data, NIS2 is broader: it aims to improve cybersecurity across networks and IT systems, regardless of whether personal data is involved.
Both regulations require appropriate technical and organizational security measures but with different objectives:
- GDPR: protects personal data
- NIS2: protects networks, IT infrastructure, and business continuity
Why Combine GDPR and NIS2 Efforts?
Because there’s significant overlap in the required safeguards (think backups, access control, risk management, incident handling), it makes sense to combine GDPR and NIS2 compliance into one strategy. This saves time, avoids duplication, and gives you one clear overview of your organization’s security posture.
Does NIS2 Apply to My SME?
That depends on your size and the sector you operate in.
You automatically fall under NIS2 if you:
- are a medium or large enterprise (≥ 50 employees or ≥ €10 million annual turnover or balance sheet total),
- and operate in a critical sector listed in Annex I or II of the NIS2 Directive, such as:
- Healthcare
- Finance
- Transport
- Energy
- Digital services (e.g., hosting, cloud, email providers)
You may also fall under NIS2 if you:
- are a small company (less than 50 employees and < €10 million turnover), but:
- provide essential services such as trust services, telecommunications, or domain name registration
- or are nationally designated as critical to public infrastructure
NIS2 Will Affect You Through the Supply Chain
Even if your company does not fall under NIS2 directly, you’re still likely to feel its impact indirectly.
Why? Because organizations that do fall under NIS2 are required to assess and manage supply chain risks. That means they will start demanding higher security standards from their vendors and partners including SMEs.
In practice, this could mean:
- stricter cybersecurity clauses in contracts,
- mandatory security assessments,
- or the need to prove your organization meets baseline security expectations.
Failing to meet these requirements could result in losing clients or contract opportunities.
Prepare for the New Dutch Cybersecurity Act
The NIS2 Directive must be transposed into national law. In the Netherlands, this will take the form of a new Cybersecurity Act, expected to come into effect in Q3 2025. Until then, the current Wbni law (Dutch NIS1) remains in force.
That means now is the time to act. Preparing in advance will help you avoid disruptions and stay ahead of legal obligations.
Conclusion: NIS2 Is Relevant for SMEs Too
Even if you are not directly regulated under NIS2, the impact will reach you through clients, partners, and industry-specific requirements. By investing now in a combined GDPR and NIS2 compliance strategy, you not only avoid risk you also position yourself as a trusted, secure partner in your supply chain.
📍 RealCob helps you manage both GDPR and NIS2 obligations in one easy-to-use platform with no legal expertise required.