Your company experiences a ransomware incident. Within 24 hours, you’re legally required to report it to national authorities. Within 72 hours, you need a detailed impact assessment. Your board is personally liable if the security measures weren’t adequate. And “we had a firewall and VPN” isn’t going to satisfy the auditors.
This isn’t hypothetical. It’s the reality organisations across Europe face right now.
For years, European cybersecurity regulation was seen as a paper tiger. Requirements on paper, little enforcement in practice. The original NIS Directive of 2016 proved this. Implementation varied wildly across member states, scope was narrow, and real consequences were rare. Many mid-market companies operated comfortably beneath the radar.
That era is over. NIS2 has been actively enforced in Belgium since late 2024, with registration deadlines passed and audits well underway. The Netherlands activated its Cyberbeveiligingswet in early 2026. The European Union learned from NIS1’s failures and built this directive with actual teeth: personal liability for executives, significant financial penalties, and active supervision. For mid-market organisations that historically treated cybersecurity as an IT problem rather than a business risk, the grace period has ended.
Why mid-market companies can no longer hide
Under NIS1, many medium-sized businesses stayed below the threshold. NIS2 eliminates that safe zone with a simple “size-cap rule”: any organisation in a covered sector with more than 50 employees or €10 million turnover falls within scope.
The covered sectors expanded from 7 to 18. Beyond energy and banking, NIS2 now includes waste management, food production, chemical manufacturing, postal services, and digital providers. A logistics company in Rotterdam. A food processor in West Flanders. All face the same regulatory scrutiny as critical infrastructure operators.
Even organisations outside these thresholds aren’t immune. NIS2 places heavy emphasis on supply chain security. If you provide services to an essential entity (a hospital, a utility, a manufacturer), you’ll face contractual requirements to demonstrate compliance. Your customers can’t risk their regulatory standing by working with weak links.
The enforcement reality: fines and personal consequences
The penalties are designed to hurt. Essential entities face fines up to €10 million or 2% of global turnover. Important entities face up to €7 million or 1.4% of turnover. For mid-market companies, these are serious threats to business continuity.
But financial penalties aren’t the sharpest edge. Article 20 introduces personal liability for management bodies. Board members and C-level executives can be held directly responsible for cybersecurity failures. Supervisory authorities can temporarily suspend executives who demonstrate gross negligence.
NIS2 mandates that management must receive cybersecurity training to understand the risks they’re approving. Ignorance is explicitly not a defence.
Where Belgium and the Netherlands stand today
Belgium moved decisively into enforcement starting late 2024. The NIS2 law came into force on 18 October 2024. The registration deadline with the CCB passed on 18 March 2025. By April 2025, registered entities were required to demonstrate compliance. The CCB has been conducting conformity assessments since Q3 2025, with essential entities facing certification by April 2027.
If your Belgian organisation hasn’t registered, you’re already in violation. The CCB can issue binding instructions, order publication of breaches, and impose fines up to €10 million.
The Netherlands activated its Cyberbeveiligingswet in Q1 2026. Dutch organisations are now fully subject to NIS2 requirements. Cross-border supply chain pressure has been building for over a year, as Belgian and German partners already required Dutch suppliers to meet NIS2 standards before the law even took effect.
For Benelux organisations, the time for preparation has passed. ENISA’s technical guidance provides clear direction on what “appropriate measures” means in practice.
Why traditional security architecture fails NIS2
Article 21 lists ten security measure categories that organisations must implement. Traditional perimeter security fails most of them.
Access control based on least privilege. VPNs grant “all-or-nothing” access. Once authenticated, users have network-wide access far beyond what they need. This directly contradicts NIS2’s proportionality requirement.
Discover why VPNs are getting replaced with Zero Trust Network Access (ZTNA) in 2026.
Incident detection within 24 hours. With separate firewalls, endpoint tools, and web filters (each with its own console), how quickly can you determine if a significant incident occurred? Most mid-market teams measure detection in days, not hours.
Supply chain security. Traditional network access gives suppliers the same broad connectivity as internal users. One compromised vendor account can reach your entire environment.
Unmanaged device security. Printers, IoT sensors, and industrial equipment can’t run agents. Traditional networks treat them as trusted because they’re “inside the perimeter”. These are exactly the blind spots attackers exploit.
The fundamental problem: traditional security was designed for offices with clear boundaries and on-premises applications. In a world of hybrid work and cloud applications, the legacy model breaks down.
Zero Trust: the compliance baseline
NIS2 never uses “Zero Trust” explicitly, but Article 21’s requirements encode its principles throughout: limit impact, prevent lateral movement, enforce strict access controls. This is now the baseline auditors expect to see.
The core shift: traditional security assumes anything inside the network can be trusted. Zero Trust assumes the opposite. Every connection might be compromised, so every access request must be verified. This isn’t just better security practice; it’s the architecture that maps directly to regulatory expectations.
In practice, Zero Trust means:
Identity-based access. Users authenticate to specific applications, not entire networks. A finance team member reaches the invoicing system but has no path to engineering resources. Access is granted based on who you are and what you need, not where you connect from.
Device posture verification. Before any access is granted, the device is checked: Is the OS current? Is disk encryption enabled? Is endpoint protection running? Devices that fail these checks are denied or given limited access until remediated.
Micro-segmentation. Even if an attacker compromises credentials, they can’t move laterally across the environment. Every connection is individually authorised, limiting the blast radius of any breach.
Agentless device isolation. Industrial equipment, printers, and IoT sensors sit behind inline isolation that controls exactly what they can communicate with. These devices become contained rather than potential pivot points.
When auditors ask how you limit access, prevent lateral movement, and detect incidents quickly, Zero Trust architecture provides clear, defensible answers.
The sovereignty factor
There’s a compliance dimension receiving increased attention from auditors: digital sovereignty. European organisations using American security vendors face a direct conflict between EU regulations and US law.
The US CLOUD Act lets American authorities compel US-based technology companies to hand over data stored on their servers, regardless of where those servers are physically located. A European hospital using a US-based security platform with servers in Frankfurt remains subject to American jurisdiction.
When security platforms perform TLS inspection (necessary for detecting threats in encrypted traffic), they access data in plaintext. Under the CLOUD Act, US vendors could be compelled to intercept this data, potentially putting European organisations in violation of GDPR.
For NIS2-regulated entities, this isn’t abstract. CCB and RDI auditors increasingly ask where security data flows and who has potential access. Choosing a European-headquartered vendor with European infrastructure eliminates this jurisdictional risk entirely. It’s not nationalism. It’s straightforward risk management.
A practical path to NIS2 compliance
For organisations that haven’t achieved compliance, the preparation window has closed. But progress is still possible with an accelerated approach:
Week 1-2: Immediate assessment. Use Safeonweb@work (Belgium) or the NCSC’s NIS2 Zelfevaluatie (Netherlands). Confirm classification, register if required, brief your board on personal liability.
Month 1-2: Architecture shift. Migrate from VPN to Zero Trust Network Access, starting with external suppliers and remote workers. Implement unified SASE, enable MFA across all applications.
Month 2-3: Policy and process. Create enforceable access policies. Develop and test your incident response playbook for 24/72-hour reporting. Enforce technical controls on suppliers.
Month 4+: Audit readiness. Establish security analytics review routines. Prepare for CyFun conformity assessments with platform-generated compliance evidence.
How Jimber makes NIS2 compliance achievable
Jimber delivers Real SASE in one cloud-managed platform, directly addressing the core NIS2 challenge: robust security without operational complexity.
- Zero Trust Network Access provides granular, identity-based access to specific applications, not broad network segments.
- Secure Web Gateway and Firewall-as-a-Service deliver consistent policy enforcement for all web traffic.
- SD-WAN ensures resilient connectivity with automatic failover, addressing business continuity requirements.
- Device posture checks verify endpoint compliance before granting access. Continuous assessment, not point-in-time audits.
- NIAC hardware and industrial controllers bring agentless devices under Zero Trust controls without disrupting operations.
- Centralised logging from a single console makes 24-hour incident notification achievable and provides audit-ready evidence.
Because Jimber is European-headquartered with European infrastructure, CLOUD Act conflicts don’t apply. GDPR alignment is built in.
Frequently asked questions
Does NIS2 apply to my organisation?
If you operate in one of the 18 covered sectors with more than 50 employees or €10 million turnover, NIS2 applies directly. Even below these thresholds, supply chain requirements from regulated customers create de facto compliance pressure.
What if we missed the Belgian registration deadline?
Register immediately via Safeonweb@work. Late registration is better than none, but expect scrutiny. Demonstrating good faith compliance effort may influence how regulators approach your case.
Can we achieve compliance with existing firewalls and VPN?
Traditional perimeter security fails NIS2’s requirements for least-privilege access, rapid incident detection, and supply chain risk mitigation. You’ll need to demonstrate granular access controls and continuous verification.
How quickly can we achieve compliance?
Mid-market organisations with established identity infrastructure can achieve substantial compliance in three to four months. The key: address high-risk areas first, expand systematically. Waiting for a perfect plan means falling further behind.
Take control of your NIS2 compliance
NIS2 isn’t a paper tiger. Enforcement is active, audits are happening, consequences are real. But with the right architecture, compliance becomes achievable, even if you’re starting late.
Ready to see how Jimber makes NIS2 compliance practical? Book a demo and discover how one cloud-managed platform addresses your access control, incident detection, and supply chain security requirements, from a European-native solution that keeps you compliant with both NIS2 and GDPR.
