NIS2 directive – Network and Information Security Directive 2

NIS2 directive – Network and Information Security Directive 2 525 400 Ekelmans Advocaten
Blog afbeelding (500 x 400 px) (22)
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes

The NIS2 directive will soon come into force in the Netherlands. It is the successor to NIS Directive and focuses on risks that threaten network and information systems, such as cyber security risks. Organisations covered by the NIS2 directive will have to comply with the duty of care and notification obligations from then on. In this blog, lawyer Anne-Mieke Dumoulin-Siemens discusses what the directive entails, what it means for your organisation and what preparations your organisation can already make.

Cyber security deserves attention

Companies are facing increasing digitalisation and cyber incidents. At EU level, cybersecurity challenges are being addressed with a range of new regulations. For instance, the NIS 2 Directive has been in force for some time. The Network and Information Security Directive 2 (NIS2) aims to improve the cyber security and digital resilience of organisations in EU member states. The NIS2 Directive contains minimum requirements and must be implemented in Dutch legislation by 17 October 2024 at the latest. From that date, sectors designated in the directive must comply with the obligations in the NIS2 directive as they will then be laid down in Dutch legislation.

NIS2 directive has wide scope of application

NIS2 directive applies to a wide range of sectors, such as healthcare, transport and energy providers. Supermarkets, water management companies and digital providers should also prepare for the obligations in the NIS2 directive. The NIS2 directive includes sectors of high criticality and other critical sectors. There are 11 sectors of high criticality: energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure, ICT services management, public administration and space. In addition, the NIS2 directive has seven other critical sectors: postal and courier services, waste management, chemical industry, food industry, manufacturing industry, digital providers, research. Organisations that fall under any of these sectors must implement risk management measures and comply with cybersecurity reporting requirements.

How do you know if your organisation is covered by the NIS2 directive?

The organisation must belong to one of the sectors of high criticality or other critical sectors. In addition, the size of the organisation is important and whether the organisation plays a key role in society. If it turns out that the NIS 2 directive applies, you need to consider whether your organisation is an ‘essential’ or ‘important’ organisation. The Dutch government has prepared an online self-assessment NIS 2 Self-assessment NL (regelhulpenvoorbedrijven.nl). you may wish to use this self-assessment to determine whether the NIS 2 directive applies to your organisation.

What measures are we talking about?

In short, organisations should take appropriate technical, operational and organisational measures to improve their organisation’s cyber security and digital resilience. Organisations should identify cyber risks and adjust the security level of their network and information systems accordingly. For instance, large companies exposed to high risks should take more measures than a small business where the likelihood of an incident with high social and economic impact is small. Cyber security measures should include incident handling, back-up management, supply chain security, cyber hygiene, staff training, access policies and policies to measure the effectiveness of these measures.

What other obligations does the NIS 2 Directive impose?


The NIS 2 directive leaves the responsibility for cyber measures to the directors. The governing bodies of essential and important organisations must approve the security measures taken and oversee their implementation. Directors can be held personally liable for breaches of security obligations. Directors must undergo training to acquire sufficient knowledge to identify cyber risks and assess their consequences.

Reporting obligations/reporting obligation

Essential and important organisations must report without delay any incident that has a significant impact on the provision of its services. This could include incidents that cause or may cause serious operational disruption of services or financial losses to the organisation concerned. Consideration could also be given to incidents that cause or may cause significant material or financial damage to other (legal) persons. An initial notification must be made to the competent authorities within 24 hours, followed by an update no later than 48 hours after the initial notification. Note that reporting is also required if an incident may have significant consequences.

What preparations can organisations make in advance?

The Dutch government is in the process of transposing the NIS2 directive into Dutch law. A bill has not yet been published. At the moment, it is only clear which minimum requirements will have to be met, as these are apparent from the NIS2 directive.

Pending embedding in national legislation, the following steps could be taken:

  • Use the self-assessment NIS 2 Self-assessment NL (regelhulpenvoorbedrijven.nl) to determine whether your organisation falls under the scope of the NIS2 directive.
  • Map to which extent the board meets its governance obligations.
  • Establish the quality of existing technical, operational and organisational security measures, including monitoring mechanisms.
  • Determine whether the organisation can comply with reporting requirements and notification obligations.

Questions or advice on the NIS2 Directive and implementation?

If you need further clarification on the governance obligations or if you have questions on the reporting obligations and notification requirements, please contact Anne-Mieke Dumoulin-Siemens.

Cyber security

Your organisation has a great deal of confidential data. That is not just personal data — increasing amounts of company information are now available electronically as well. All this data is extremely valuable; if it ended up in the wrong hands, this could lead to serious commercial and reputational damage. The lawyers at our Privacy Desk will gladly examine the impact of cyber security on your business operations with you.


Netherlands UBO register temporarily closed to public, registration requirement still applies

Netherlands UBO register temporarily closed to public, registration requirement still applies 2560 1920 Ekelmans Advocaten
UBO Letter Initial Logo Design Vector Illustration
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes

It is not acceptable that random members of the public can request (financial) information about a UBO. This has been ruled by the European Court of Justice. The Netherlands UBO register has therefore been temporarily closed to the public. What does this ruling mean and what are its implications for the UBO register?

Anti-Money Laundering and Terrorist Financing Directive

The UBO register and the obligation to register is based on the European fourth and fifth anti-money laundering directives. This directive aims to combat financial-economic crime. This could include corruption, money laundering, tax evasion, fraud and terrorist financing.

Companies have to register their ultimate beneficial owners in this UBO register. Some of the information (name, month and year of birth, nationality, state of residence, nature and extent of economic interest in the company) was, until recently, accessible to everyone. Anyone could request an extract from the UBO register for a small fee.

European Court ruling on the public nature of the UBO register

In its ruling of 22 November 2022, the European Court of Justice (ECJ) invalidated part of the European rules on the UBO register. According to the Court, public access to information on a UBO constitutes a serious interference with the fundamental rights to respect for private life and protection of personal data. It is not acceptable that random members of the public can obtain (financial) information about a UBO without having an interest related to the purpose of the directive. That is, prevention of money laundering and terrorist financing. UBOs are also particularly at risk because once provided, the data from the UBO register can be freely stored and distributed. The provision in the anti-money laundering directive that information on a UBO must be accessible to every member of the public in all cases is invalid, the Court ruled.

Consequences for the Netherlands UBO register

In the Netherlands, at the request of the Minister of Finance, the Chamber of Commerce has temporarily closed the UBO register to the public. This means that temporarily no information from the UBO register can be requested. The Court’s ruling has no impact on the obligation to register ultimate beneficial owners in the UBO register. UBO’s must register, if they have not already done so.


Can you transfer personal data to third countries safely after Schrems II? 

Can you transfer personal data to third countries safely after Schrems II?  1120 600 Ekelmans Advocaten
Schrems II
Leestijd: 6 minuten
Lesedauer: 6 Minuten
Reading time: 6 minutes

Since the EU-US Privacy Shield has been declared invalid, it is unclear how a company can transfer personal data to the US. Anne-Mieke Dumoulin Siemens provides guidance in the twilight zone created by the Court.

The Court of Justice of the European Union (ECJ) declared the EU-US Privacy Shield invalid on 16 July 2020 in the so-called Schrems II case. This means that with immediate effect, the EU-US Privacy Shield can no longer serve as a basis for the transfer of personal data to the US. When transferring personal data to countries outside the European Economic Area (EEA), the rules of the GDPR must be followed. Now that the EU-US Privacy Shield can no longer be used as a basis for transfer, the question arises as to how transfer to the US (and to other countries outside the EEA) can be designed to be secure. This article provides guidance in the twilight zone created by the Court.

Exit EU-US Privacy Shield

The GDPR facilitates the transfer of personal data on the basis of an adequacy decision. The European Commission has issued an adequacy decision for 12 countries.  An adequacy decision guarantees the third country concerned provides an adequate level of data protection. The EU-US Privacy Shield is based on an adequacy decision issued by the European Commission. The Court has annulled the EU-US Privacy Shield in Schrems II because of the lack of an adequate level of protection in the US. There are surveillance regulations in the US that allow US intelligence and security services to access personal data. Such access is not limited to strictly necessary data. In addition, US citizens have no enforceable data protection rights and no effective legal remedies.

Consequences exit EU-US Privacy Shield

The clash between the European privacy regulations and the US surveillance laws has serious consequences for the many companies and organisations that transfer personal data to the US under the EU-US Privacy Shield on a daily basis. They are now acting in violation of the GDPR. Schrems II does not offer a transition period: the transfer of personal data to the U.S. on the basis of the EU-US Privacy Shield has been declared invalid as of the date of the ruling. Schrems II does not only cover future data flows, but also personal data that have been transferred in the past and are still accessible to U.S. authorities. At present, it is not to be expected that the European supervisory authorities will start immediate enforcement proceedings, but the question what is an acceptable alternative mechanism for the transfer of personal data should be at the top of your company’s action list. How to proceed?

Alternative mechanism for the transfer of personal data?

The transfer of personal data to recipients in third countries must not undermine the level of protection guaranteed by the GDPR to individuals within the EU. The recipient country must provide a level of protection for personal data comparable to that guaranteed within the EU. In short, transfers should only take place in full compliance with the GDPR.

If no adequacy decision is in place for a particular country, the data exporting company or organisation must ensure that the transfer is secured with appropriate safeguards. The standard contractual clauses (SCCs) as adopted by the European Commission provide appropriate safeguards according to the GDPR.

Can SCCs still be used after Schrems II?

Article 46 GDPR, which forms the basis for the use of standard provisions, explicitly sets two requirements for transfers to countries to which no adequacy decision applies. Firstly, the exporting company must provide adequate safeguards (through SCCs, for example) and secondly, enforceable data subject rights and effective legal remedies for data subject must be available in the third country.

The SCCs passed the test of criticism in Schrems II. In principle, personal data can still be transferred to third countries on the basis of SCCs. However, the Court emphasises the importance of requirements in Article 46 GDPR concerning the use of standard clauses. Prior to any transfer of personal data, the transmitting company must verify that the receiving country provides the data subjects with enforceable rights and effective legal remedies.

In general, companies are imposed with the almost impossible task of assessing – on a country-by-country and transfer-by-transfer basis – whether recipient countries have legal rules in place regarding the protection of data subjects and their personal data. In addition, it is not clear what criteria should be used in the assessment. The Court does not address this and Article 46 GDPR does not provide any further explanation either. We now know that standard provisions cannot (or no longer) be used as a mechanism for the transfer of personal data to the US because US surveillance legislation prevents this. However, companies are in the dark as to how the surveillance and security legislation in other third countries is to be valued.

The reality is that few companies have sufficient knowledge and resources to properly assess the data protection legislation and surveillance practices of third countries. It is also clear that the European authorities seem to be struggling with such assessments. So far, the European Commission has issued adequacy decisions for only 12 countries, and the adequacy decision for the US has now been invalidated twice.

How can SCCs be used in practice?

The European Data Protection Board (EDPB) has announced to publish recommendations on how to deal with the consequences of Schrems II. In anticipation of these recommendations, the following guidelines may help you to implement the transfer of personal data to third countries on the basis of SCCs.

  • Check that the data importer is able to comply with all the provisions of the SCCs.
  • Carry out a due diligence on the type of data transferred, the categories of data subjects, the processing purposes, the retention period, the type of recipient and the sector to which the recipient belongs.
  • Examine to what extent the legal system of the third country allows public institutions to require disclosure of data and whether data subjects (including foreign data subjects) are aware of the disclosure and are able to take legal action before the courts. Determine the category of data affected by the laws of the third country.
  • Investigate the extent to which the importer is bound by these laws and the likelihood of the importer disclosing or having to disclose the exporter’s personal data to the authorities in the third country.
  • Check whether the data importer has a procedure to inform the data exporter if a government request extends to the data of the data exporter and offers the possibility of opposing disclosure.
  • Check whether the risks posed by national surveillance legislation can be offset by agreeing additional safeguards with the data importer. This could include agreements on the application of proper encryption, the suspension of the transfer of data and the removal of data by the data importer.
  • Make sure you document your choices and agreements. The GDPR requires you to be able to demonstrate that you comply with the GDPR.

Can Binding Corporate Rules be used?

Binding Corporate Rules (BSRs) are, in addition to SCCs, a mechanism for the transfer of personal data to third countries. BCRs are rules specifically designed for transfers of personal data within an international group of companies. Once established and approved, BCRs can only be used for the transport of personal data within the group of companies. A different mechanism must be used for transfers outside the group.

BCRs were not subject of debate in Schrems II. However, if the lawfulness of the transfer of personal data on the basis of SCCs is in question, because the regulations in the receiving third country do not comply with European safeguards, then one may wonder whether transfer to the same country on the basis of BCRs is lawful.

BCRs are drawn up by the group company concerned and must be approved by the competent supervisory authority. SCCs are a product of the European Commission. In practice, the main difference is that the burden of assessing the adequacy of protection measures lies with the supervisory authority when a company uses BCRs, whereas the user of SCCs (re Schrems II) has to make his own adequacy assessment and is responsible if he makes a mistake. This raises the question of how supervisory authorities within the EU deal with pending applications for the approval of BCRs. Approval of BCRs implies that the relevant supervisory authority considers that appropriate safeguards are in place in the receiving third country. This may be a sensitive issue, given the reasoning in Schrems II.

Can the exceptions in Article 49 GDPR be used?

According to the Court in Schrems II, the invalidation of the EU-US Privacy Shield does not create a vacuum because companies can rely on one of the derogations for specific situations (Article 49 GDPR). However, the possibilities to justify transfers using the exceptions of Article 49 GDPR are limited. EDPB has stated (Guidelines 2/2018) that these exceptions should be interpreted restrictively and that the exception should not be made the rule. In addition, the use of article 49 GDPR imposes a heavy administrative burden on the company. The data exporter must justify why each of the mechanisms for the transfer in question cannot be used and why the exception in question is suitable as a basis for transfer in the specific case. The option provided for in Article 49 GDPR therefore does not seem very attractive.

EDPB recommendations on implications of Schrems II

Schrems II shows that the application of and compliance with strict European privacy rules for the transfer of personal data in international traffic is problematic. The EDPB has set up a task force which will hopefully soon come up with recommendations on how to deal with the consequences of the Schrems II decision.

Would you like to know more about this subject? Then please contact our Privacy Desk.


We use cookies to make sure that our website functions smoothly. If you continue to use the website, we assume that you consent to the cookies.