Change within European cyber laws: the approaching NIS-2 regulation and accountants’ unawareness

For the Dutch version, click here.

A survey by SDU, a software innovation partner for the business community, and Lupasafe, an organization of cyber experts who focus on the financial and insurance world and previously performed ethical hacks for Achmea and Rabobank, shows that 90% of accountants are unfamiliar with the approaching NIS-2 regulation and 84% even have insufficient knowledge about cybersecurity. However, with the approaching mandatory application for these new European directives as of 2024, it is worrying that only a small minority is aware of these European cyber laws. Despite the very minimal knowledge, it appears that the implementation of NIS-2 still matters. The reasoning  of the decision to change the current NIS-1 regulation and what this NIS-2 regulation entails will be discussed in this article.

AEDs and DSPs

Before discussing the NIS-2 regulation further, and as the name suggests, currently the NIS-1 regulation has been in operation since 2016. At the time of its introduction, it was the first European legislation specifically aimed at increasing cybersecurity across Europe. Remarkably, the NIS-1 regulation was flexibly drafted to enable national lawmakers to apply their own interpretation, and therefore it served primarily as an overarching design to motivate countries to tighten their cybersecurity regulations or sometimes create their own. The NIS-1 regulation consists of the following three main categories: security requirements, notification requirements and information sharing. There is also a crucial distinction between AED (Providers of Essential Services) and DSP (Digital Service Providers), where unlike DSP, AEDs can be designated by national lawmakers. AEDs include companies that provide services critical to critical social entities and rely heavily on digital information systems such as energy providers. DSPs, on the other hand, are providers of digital services such as or the online search engine To qualify as a DSP, however, the following two requirements are active, at least 50 employees and an annual turnover of 10 million euros. In the case of the Netherlands, the application of the NIS-1 regulation takes place through the WBNI (Wet Beveiliging Netwerk- en Informatiesystemen). Here, AEDs and DSPs must apply various adequate security measures and should an incident nevertheless occur, they are required to report it to the Computer Security Incident Response Team (CSIRT).

New Rules

However, a need has arisen within the European Parliament to extend the current NIS-1 regulation. The core reasoning behind this transition is the fact that cybercrime is growing tremendously in combination with increasing digitalization which means that smaller companies will also become more vulnerable to the threat of a possible cyber-attack in the future. Based on the World Economic Forum Global Risks Report 2020, cybercrime will even grow to become the second biggest risk for businesses within 10 years. To meet the new challenges, the NIS-1 regulation is being modified in five different aspects.

First, significantly more sectors will be covered by the NIS-2 regulation that were previously considered too small to be at risk. Thus, medium-sized and large companies will be directly included in the NIS-2 regulation, and there is an option for individual member states to qualify smaller companies with a high security risk for the NIS-2 regulation as well. 

In addition, a mandatory minimum of basic security components will be introduced and the two different categories (AEDs and DSPs) will be abolished. Instead, there will be a qualification list where individual companies will be ranked according to their importance, resulting in different regimes being applied for each level. In addition, individual companies will also be expected to review their supply chains and supplier relationships and identify and address any security risks. And finally, the NIS-2 regulation will differ from NIS-1 since it will allow national authorities to impose stricter supervisory measures on companies.


Thus, the current NIS-1 regulation will be significantly broadened and strengthened. Especially the extension of the NIS-2 regulation compared to the NIS-1 regulation, among others accountants, will have to deal with this considerably more. And if a company is still not eligible for the NIS-2 regulation, there is a good chance it will be covered in the near future in the form of an NIS-3 regulation. With the increasing digitalization and associated cybercrime, it seems a matter of time until almost every company will have to deal with such a regulation, and the importance to delve into cyber security will only grow in the future.