Back to knowledge base

The NIS2 supply-chain duty of care: what is really required (and what is not)

Published on June 16, 2026

A lot of half-truth circulates around NIS2. That there is a "government-mandated, official tool". That you should have been compliant since some already-passed date. That a single SaaS subscription makes you "NIS2-proof" in one click. None of those three are true — and precisely because they are not, organisations sometimes make decisions out of fear instead of facts.

This article sets the record straight. What does NIS2, and the supply-chain duty of care specifically, actually require of you? What is the status of the law in the Netherlands? And where does continuous monitoring fit into that picture — not as a silver bullet, but as a defensible building block?

In short

• NIS2 does not mandate any specific, named tool or "official SaaS". The law requires appropriate and proportionate measures. How you implement them is up to you.
• The Dutch law is not yet in force. The Cybersecurity Act (Cyberbeveiligingswet) has been adopted by the House of Representatives and is now before the Senate; the government is aiming for entry into force in the second quarter of 2026 (a target date around 1 July 2026), subject to completion by the Senate.
• The supply-chain duty of care affects many more organisations than you think — even if you do not fall directly under NIS2, you can be pulled in via your customers.
• Compliance is an organisation-wide package, not a switch you flip. Continuous vulnerability monitoring is one important, demonstrable building block of it.

NIS2 and the Cybersecurity Act: what is what

It helps to keep two things apart.

NIS2 is the European directive (Network and Information Security Directive 2). A directive does not apply directly; each member state transposes it into its own legislation. At EU level, NIS2 has applied since 17 October 2024, the date on which the old NIS1 directive lapsed.

The Cybersecurity Act (Cyberbeveiligingswet, Cbw) is the Dutch implementation of it. It will replace the current Network and Information Systems Security Act (Wbni). The Netherlands missed the original EU deadline of October 2024. The bill was submitted in 2025, adopted by the House of Representatives in April 2026, and is now before the Senate. The government is striving for simultaneous entry into force of the Cybersecurity Act and the accompanying regulations in the second quarter of 2026.

In short: the obligations are coming and are already concrete in substance, but the Dutch law is not yet in force at this moment. Anyone claiming that a specific tool is "already mandatory" is not selling a fact but urgency.

What exactly is the supply-chain duty of care?

This is the core of why NIS2 fans out so much more broadly than many organisations expect.

Essential and important entities that fall under NIS2 must not only have their own security in order — they must also factor the security of their suppliers and supply chain into their risk management. That is the supply-chain duty of care: managing risks that enter via third parties.

The result is a cascade. Do you not fall directly under NIS2 yourself, but supply software, infrastructure, data or services to an organisation that does? Then that customer will want to be able to demonstrate that you have your basic security in order. In practice that comes back in contract requirements, supplier questionnaires and audits. If you do not comply, you run a real risk of losing the contract — not because the regulator knocks on your door, but because your customer has to be able to substantiate its own duty of care.

That is why NIS2 indirectly affects tens of thousands of SME suppliers that formally fall outside the direct scope. How this plays out in practice for suppliers, and what your large customer expects of you exactly, is covered in NIS2 supply-chain duty of care for suppliers.

What NIS2 does require

For organisations within scope, it essentially comes down to a number of obligations:

• Duty of care (risk management). Appropriate and proportionate technical, operational and organisational measures. Think of risk analysis, access security and MFA, incident handling, business continuity, supply-chain security, and dealing with vulnerabilities.
• Reporting obligation. Report significant incidents within tight deadlines: an early notification within 24 hours, a fuller report within 72 hours and a final report within a month.
• Registration obligation. Entities covered by the law must register with the competent authority (in the Netherlands this runs via the NCSC).
• Board accountability. The board must approve the measures and oversee them, with a training obligation and personal accountability.

Important: the law prescribes goals, not products. You are free in how you implement the measures.

What NIS2 does not require — the persistent myths

Myth 1: "There is an official, government-mandated tool or SaaS." Incorrect. NIS2 and the Cybersecurity Act do not name any commercial product as a mandatory standard. You may choose for yourself how you meet the requirements: self-host open source, take a service, or a combination. A provider that presents itself as "the official platform of the ministry" makes a claim the law does not support.

Myth 2: "It has been mandatory since [a fixed, early date]." Incorrect. The Dutch law is not yet in force; the target date lies in the second quarter of 2026, subject to the Senate. At EU level NIS2 has indeed applied since 17 October 2024, but that is something other than a domestic tool obligation as of a specific date.

Myth 3: "One tool makes you compliant." Incorrect. Compliance is an organisation-wide package — policy, processes, technology, governance and chain agreements. No single standalone product covers all of that. Anyone who sells it that way is selling false security. Why even a good scan does not make you compliant — and is indispensable nonetheless — is explained in scanning is not NIS2 compliance.

Myth 4: "Certificate X automatically makes you NIS2-compliant." Incorrect. Certifications and baselines can help demonstrate that your measures are in order, but in themselves they are not a legal capstone. Also watch out for invented or non-existent quality marks — they do occur.

The pattern behind these myths is always the same: a real obligation is inflated into a ready-made product with a deadline. The antidote is simple: ask exactly what the claim is based on.

So where does continuous monitoring fit in?

If no tool makes you "compliant", why invest in vulnerability monitoring at all? Because it is one of the most concrete and demonstrable ways to fulfil the risk-management and supply-chain parts of your duty of care.

The duty of care requires that you know and manage your vulnerabilities. You cannot tick that off once; your attack surface changes continuously. Continuous monitoring shows that you do this structurally — and that is exactly what an auditor, a customer or an insurer wants to see.

The difference lies in evidence. Not just knowing that a vulnerability exists, but being able to show in a forensically substantiated way how and when it was detected and followed up. That burden of proof is what makes a duty of care "defensible" rather than a paper promise. If you receive such a request from a customer yourself, answering a NIS2 supplier questionnaire helps you put that evidence concretely on the table.

Exposentry is built for this: NL-sovereign, forensically substantiated monitoring based on OpenKAT, for your own domains and your supplier chain. It is explicitly a necessary building block for your vulnerability management and supply-chain duty of care — not a full compliance guarantee. That honesty is deliberate: anything that presents itself as a total solution deserves extra suspicion.

• Read more about our approach to the NIS2 supply-chain duty of care.
• See how supplier monitoring works at Monitor my suppliers.
• Transparent pricing is on Pricing.
• Prefer to see where you stand right away? Start a scan of your organisation.

Practical: how to substantiate your supply-chain duty of care with evidence

1. Determine your position. Do you fall directly under NIS2 (sector + usually 50+ employees), or indirectly via customers that fall under it themselves? Both require action, but at a different level.
2. Map your attack surface. Which domains, systems and assets are visible from the outside? You cannot protect what you do not have in view — start with what an attacker sees of your domain.
3. Monitor continuously and record evidence. Not a single scan, but continuous visibility — with a record of what was found and when.
4. Include your chain. Monitor the basic security of suppliers for which you bear responsibility, and make agreements you can substantiate.
5. Document and report. Translate technical results into clear reports you can present to the board, an auditor or a customer.

Frequently asked questions

Is NIS2 already mandatory in the Netherlands? The European NIS2 directive has applied at EU level since 17 October 2024. The Dutch Cybersecurity Act, which transposes the directive into national obligations, is not yet in force: it has been adopted by the House of Representatives and is before the Senate, with a target date for entry into force in the second quarter of 2026.

Does NIS2 prescribe a specific tool or SaaS? No. NIS2 and the Cybersecurity Act require appropriate and proportionate measures, but name no mandatory product. You decide for yourself how you meet the requirements.

My organisation does not fall under NIS2. Do I still have to do something? Possibly. If you supply organisations that do fall under it, they can, via their supply-chain duty of care, require you to demonstrably have your basic security in order. Failing to comply can cost a contract.

Does one scan or one tool make me compliant? No. Compliance is an organisation-wide package of policy, processes, technology, governance and chain agreements. Continuous monitoring is an important, demonstrable building block of it, not a total solution.

What is the difference between NIS2 and the Cybersecurity Act? NIS2 is the European directive; the Cybersecurity Act is the Dutch law that implements this directive. The Dutch law can be more specific or stricter than the directive on certain points.

When should I start? Now. Most organisations need several months to bring their security and supplier management up to standard. Waiting until the law takes effect leaves too little time.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.