NIS2 and AI: What Dutch Businesses Need to Know in 2025

• Neeraj Chhabra

Introduction

2025 is a decisive year for digital security in Europe. The NIS2 Directive, the EU’s updated cybersecurity framework, is already in force at the EU level. Member states had until October 2024 to transpose the directive into national law.

As of late 2025, Dutch businesses are in a crucial preparatory phase while the national Cybersecurity Act (Cyberbeveiligingswet) is expected to take effect in 2026. Regulators already encourage organisations to align with NIS2 requirements.

At the same time, the EU AI Act, which entered into force in 2024, has begun applying its first obligations in 2025. Together, these frameworks are shaping how Dutch companies balance innovation, security, and compliance.

What is NIS2 in Simple Terms

The NIS2 Directive (Network and Information Systems Directive 2) is the EU’s strengthened cybersecurity law. Compared to the original 2016 NIS Directive, it introduces:

• Broader coverage: More industries are included, such as cloud service providers, digital platforms, and medium-sized IT vendors.
• Stricter obligations: Stronger risk management, supply-chain security, and incident reporting within 24 to 72 hours.
• Heavier penalties: Up to €10 million or 2 percent of global turnover.

NIS2 in the Netherlands: Where Things Stand in 2025

While NIS2 is already binding at the EU level, the Netherlands is still preparing its national implementation law, the Cybersecurity Act (Cyberbeveiligingswet), which is expected to enter into force in 2026.

This means:

• Dutch businesses are not yet subject to national-level fines.
• Organisations are expected to prepare now, as enforcement will follow quickly once the law is enacted.
• Early preparation reduces risk, avoids rushed compliance, and strengthens overall security practices.

Why AI Matters Under NIS2

NIS2 does not specifically mention Artificial Intelligence, but AI systems fall under its scope because they:

• Process sensitive personal and business data.
• Depend on cloud services and third-party APIs, increasing supply-chain risk.
• Introduce new attack surfaces, such as data poisoning or leakage.
• Make breach detection more complex due to opaque decision-making.

At the same time, the EU AI Act is being phased in. While NIS2 focuses on cybersecurity and resilience, the AI Act addresses transparency, safety, and ethical use of AI. Together, they form a comprehensive framework that Dutch businesses must take into account when adopting AI technologies.

Checklist for Dutch Businesses Using AI Under NIS2

To prepare effectively, businesses can focus on the following steps:

• Map AI data flows: Identify what data is collected, stored, and transferred.
• Vet your vendors: Confirm that AI and cloud partners meet recognised standards such as ISO 27001 or SOC 2.
• Update incident response plans: Include AI pipelines in detection and reporting.
• Apply secure-by-design practices: Build AI systems with encryption, access control, and audit logging.
• Test systems regularly: Conduct penetration testing and risk assessments for AI models and APIs.
• Strengthen supply-chain security: Monitor open-source components, pretrained models, and external services.

Balancing Compliance and Innovation

Some companies worry that compliance may slow down AI adoption. In practice, NIS2 and the AI Act can both encourage innovation when approached strategically:

• Privacy-first designs: Use anonymisation, federated learning, and data minimisation.
• Cloud security: Apply strict identity management, encryption, and monitoring.
• DevSecOps for AI: Integrate security scans and compliance checks into AI development cycles.
• Continuous monitoring: Use tools that log activity and flag risks automatically.

This approach allows businesses to remain compliant while maintaining speed and trust in AI-driven services.

Risks of Inaction

Failing to prepare for NIS2 and the AI Act carries significant risks:

• Fines and penalties once the Cybersecurity Act (Cyberbeveiligingswet) enters into force.
• Reputational damage from breaches or non-compliance.
• Operational disruption caused by unplanned reporting obligations and investigations.

The preparatory phase of 2025 is an opportunity to strengthen resilience before these frameworks are fully enforceable.

How Cyborg Helps

At Cyborg, we design and deliver platforms where AI security and privacy are built into the architecture.

• Our Secure-by-Design AI Transcripts Platform demonstrates how AI can be developed with strong protections and independent security testing.
• We support clients with GDPR, NIS2, the Cybersecurity Act, and the AI Act, combining expertise in cloud, DevOps, and AI.
• Our focus is to help businesses adopt AI without sacrificing compliance or security.

Conclusion

NIS2 sets a new standard for cybersecurity across Europe. For Dutch businesses, 2025 is the time to prepare for the Cybersecurity Act (Cyberbeveiligingswet) in 2026. Alongside the EU AI Act, these frameworks will shape the future of digital operations.

By securing AI systems now, companies can avoid penalties, build customer trust, and gain a competitive advantage.

Learn more about how Cyborg helps Dutch businesses build secure AI platforms aligned with NIS2, the Cybersecurity Act, and the EU AI Act.