NIS2 · Cyberbeveiligingswet
Demonstrate your NIS2 posture. With evidence, not assertions.
NIS2 asks in-scope organizations to assess their security posture, put measures in place, and be able to prove it. PAA produces that proof for your Azure, Microsoft 365 and Zero Trust estate — an attestation with control mapping and evidence, kept current as your environment changes. Without a €15,000 consultant.
Read-only access · €99 Day Pass · Liever in het Nederlands? Lees de NIS2-uitleg →
The obligation
What NIS2 actually asks of you
For organizations in scope, NIS2 turns security from good practice into a legal duty of care. In broad strokes, it expects four things.
Assess your risk
A documented view of where your security posture stands — not a feeling, an assessment.
Put measures in place
Technical and organizational controls appropriate to the risk, actually implemented and maintained.
Register
In-scope entities register with the relevant supervisory authority.
Report incidents
A duty to notify significant incidents within tight deadlines (the meldplicht).
In scope means, roughly: a medium or large organization (about 50+ staff or more than €10M turnover) operating in one of the NIS2 Annex I or II sectors. If that’s you, the duty of care applies.
Where the deadline stands
The dates, told straight
Netherlands
NIS2 is being transposed as the Cyberbeveiligingswet (Cbw). It is expected to enter into force during 2026, after approval by both the Tweede Kamer and Eerste Kamer. The exact date is not yet fixed — it is still in the parliamentary process. Anyone telling you a precise day is guessing. Entering into force does not mean instant fines; it means the duty to assess your posture and have measures in place becomes real.
Belgium
Already in force since October 2024. The first conformity self-assessment — using CyberFundamentals or ISO 27001 — was due 18 April 2026, with full certification due 18 April 2027.
The point of preparing now isn’t the date. It’s that demonstrating posture takes evidence you either have or you don’t — and gathering it after the deadline is the expensive way to do it.
What PAA produces
The evidence, generated and kept current
PAA doesn’t make you compliant — that’s organizational. It produces the technical proof that your posture is where you say it is, and keeps that proof from going stale.
Attestation with control mapping. Your Azure, M365 and Zero Trust configuration mapped against NIS2 expectations, with each control backed by what was actually observed.
A guided wizard. Walks you through the attestation rather than leaving you to interpret a framework cold.
A board-ready PDF. Export the attestation as a document you can hand a regulator, an auditor, or your board.
Drift re-checking. A scheduled job re-runs the attestation over time, so the evidence reflects your environment today — not the day you first ran it.
A certificate is a snapshot. Posture isn’t.
Environments change every week — a new service principal, an opened port, a disabled policy. A one-off audit is true the day it’s signed and decaying the day after. NIS2 expects measures to be in place and maintained, which is why PAA treats attestation as something that runs continuously, not once.
Managing clients in scope?
If you’re a Microsoft partner, NIS2 is your whole book.
Every essential and important entity you manage carries this duty. PAA lets you deliver NIS2 attestation across your portfolio, white-label, and resell it at margin.
See the partner program →NIS2 questions, answered honestly
Is NIS2 in force in the Netherlands yet?
NIS2 is being transposed into Dutch law as the Cyberbeveiligingswet (Cbw). It is expected to enter into force during 2026, after approval by both the Tweede Kamer and Eerste Kamer — the exact date is not yet fixed. The obligation is to demonstrate that you have assessed your security posture and have measures in place, which is worth preparing for before the deadline is loud.
Does NIS2 apply to my organization?
If you are a medium or large organization operating in one of the NIS2 Annex I or II sectors — roughly 50 or more staff, or more than €10M turnover — you are likely in scope and will carry a duty of care: assess risk, put measures in place, register, and report incidents.
Does PAA make us NIS2 compliant?
No tool makes an organization compliant on its own. Compliance is organizational. What PAA does is produce the technical evidence: an attestation, control mapping, and findings that demonstrate the state of your Azure, M365 and Zero Trust posture against NIS2 expectations — and keep that evidence current as your environment changes.
How is this different from a one-off audit?
An audit is a snapshot in time. PAA re-checks your attestation on a schedule and detects drift, so when a regulator, auditor or board asks, your evidence reflects your environment today — not the way it looked last quarter.
What about NIS2 in Belgium?
NIS2 is already in force in Belgium (since October 2024). The first conformity self-assessment, using CyberFundamentals or ISO 27001, was due 18 April 2026, with full certification due 18 April 2027.
Know where your NIS2 posture stands.
Start with a €99 Day Pass and run a compliance assessment. Read-only access, results in hours, no consultant required.
