‘NIS2 is an enabler, not a checkbox process’
NIS2 requires companies to tighten the reins and better secure their digital infrastructure. The directive comes into force at the same time as the Cybersecurity Act. New sectors are being added to the regulator’s sphere of influence, divided into ‘essential’ and ‘important’ sectors. There is also a reporting obligation and a duty of care. Failure to comply will result in fines and managers can be held personally liable. Nadeem de Vree, VP of Networking and Security at KPN, considers the impact NIS2 will have on the market. He discusses this with Jeroen van Rooden, CIO of Leiden University Medical Center (LUMC), Matthijs Zwart, CIO/CISO of drinking water company Vitens, and Michel van Eeten, professor of cybersecurity at Delft University of Technology. The January winter weather made the roads impassable, so the conversation takes place via a phone call — which is actually quite appropriate. The digital highway has become indispensable to the GDP and health of the Dutch economy. This makes eliminating risks all the more urgent. Van Rooden expects the NIS2 regime to feel strict: ‘If you have not prepared properly, you will feel the consequences.’ He knows from personal experience that a malfunction or hack can never be completely ruled out, even when everything is considered to be in order. When that happens, it is best to have a contingency plan in place to ensure continuity. Or, in Zwart’s words: ‘When in doubt, do not overtake.’ The largest drinking water company in the Netherlands will continue to operate even if automated processes fail. ‘If there is no other option, we will pump, purify, and distribute analog.’ For Van Eeten, the time for checklists is over. ‘You can no longer hide behind rules. It is time to take responsibility.’
At KPN, we see that NIS2 demands a considerable amount from management, but above all, we see it as an opportunity to better secure digital infrastructures. How do you view NIS2: as an obligation or as an opportunity to professionalize?
Van Rooden: ‘NIS2 is an opportunity we cannot afford to miss, we can no longer afford that luxury. Circumstances beyond our control have led us into troubled waters. Geopolitical threats are creating additional pressure, added to the pressure from legislation and regulations.
Unfortunately, even now, there is a remarkable lack of awareness of the urgency of the situation, and in general we are doing too little in the way of risk management. We watch the news and share our concerns, but we are still not taking action sufficiently. I am not just talking about our defense, but also about readiness and resilience in society. The security of our network and information systems should be an integral part of our backpack.’
Van Eeten: ‘The urgency of NIS2 is clear, if only because the board will ultimately be held responsible in the event of incidents. The danger is that companies will start avoiding risks. That would be the wrong approach. You should also not be afraid that the Dutch Data Protection Authority will ask questions. As a company, you need to deal with this in a mature way. The data protection officer is not a ‘nuisance’ either. Monitoring data protection is an important part of business operations. Companies that feel and take responsibility have nothing to fear. They are solution-oriented and have a clear vision of security. It is not sufficient to only focus on avoiding risks.’
Zwart: ‘NIS2 is absolutely an opportunity. And we should let everyone know why it is an opportunity. Well-prepared managers communicate what the policy is and what needs to be done if things go wrong. That invites support. Even employees who are not directly involved in IT need to be aware of their impact on cybersecurity and understand what they should do and should not do. That way, you remain in control when a problem arises. Cybercrime is a threat that we must not underestimate. And there is no safety net. In these uncertain times, you cannot rely on everything turning out for the best. In the event of large-scale national cyberattacks, you really need to be able to stand on your own two feet. It is a lesson we distinctly learned from exercises with the essential infrastructure sector.’
How can managers set a course in a rapidly changing landscape, where compliance and innovation reinforce each other, but also create tension?
Zwart: ‘Make simplicity a principle. At Vitens, we have simplified the IT architecture to the most crucial applications. We have made these robust through good, reliable suppliers. Strengthening our secure-by-design architecture in combination with strengthening our operational security capability has been the most important investment in recent years. As a result, we are much less vulnerable to external threats. The most unwise thing you can do is hire a battalion of consultants just to comply with the rules, without having the intrinsic motivation to be a safe and reliable service provider. We have been taking cybersecurity seriously since NIS1 (Wbni), because we were already classified as an essential sector back then. No one can survive without drinking water. A cyber incident would therefore have the greatest impact. The same applies to energy, healthcare, transport, and the financial sector. At the same time, we are also a company that needs to innovate. We too must renew our assets, build new machines in public spaces, and compete with sectors that require the same resources as we do. I see it as my task to unite safety and innovation.’
Van Eeten: ‘Ultimately, innovation and prosperity are the most important sources of safety. The Americans are the strongest militarily because they are the strongest economically, not the other way around. The reports by Draghi and, more recently, by Wennink, show a path that is necessary for our security, based more on deregulation. We should not regulate ourselves into a corner in the hope that it will make us safer.’
Van Rooden: ‘In practice, there is always tension between operations and compliance and legal matters, between what is allowed and what is required. Lawyers want to minimize liability, while compliance also weighs ethical issues. The challenge is to find the right balance. I personally believe that we must be able to trust each other. Complying with rules is no guarantee of 100% safety. No matter how many measures you take, you can still overlook something. You have to be open about that. It is okay to be vulnerable. That is more valuable to your employees and stakeholders than a slick story you cannot deliver on. A few months ago, there was a malfunction at AWS. We initially thought that luckily, we do not have a relationship with them. But we did. It turned out to be a small external service on which our network protocol – DNS – runs. As a result, the hospital’s core systems were inaccessible for an hour. This time it was a technical issue that was quickly resolved, but next time it could be a much more serious hack by state actors or others.’
Zwart: ‘Jeroen’s example shows once again how dangerous it is to make assumptions. You are fooling yourself if you think you have everything under control. You are only in control when you acknowledge your flaws and take into account everything you do not know. As long as you are able to deal with unforeseen circumstances. That is why at Vitens we always have a plan B in case automated processes fail. As a drinking water company, we are in reality an analog service provider. This means we also need to be able to operate our processes manually. We practice this with simulations.’
KPN helps organizations to structurally strengthen their cyber resilience and prepare for new obligations such as NIS2, with a focus on technology, processes, and collaboration. How do you view that responsibility, and what do you think organizations need to do now to comply with NIS2 in a timely and realistic manner?
Van Eeten: ‘I get the impression that a lot of time is wasted on peripheral issues. Companies are trying to get their administration in order, which in practice means a huge mountain of paperwork. They also monitor their supply chains with services like Bitsight, which contain little signal and a lot of noise – but it produces a report, and that is what they want. You should not want to comply with NIS2 because it is expected of you. That is counterproductive. Just like running phishing simulations. In reality, it turns out, those actually increase the risk of phishing.’
Zwart: ‘My advice is: Keep in mind your analog alternatives. In our case, the availability of drinking water is the first priority. To guarantee that, we work exclusively with suppliers and other chain partners who have proven themselves, such as KPN, SAP, and ABB. We deliberately do a lot locally and on-premise in the vital parts of the company. The view is now more widely shared in the market that it is no longer wise to rely exclusively on the cloud.’
Van Rooden: ‘At LUMC, we also do a lot of work on-premise. What we are particularly vigilant about these days is research data that is shared anonymized via the cloud. It could contain anything. For that reason, we are cautious about using the cloud. I really urge our people to be careful for backdoors. No matter how much you control your core systems locally, there will always be connections to the outside world. We were caught off guard by that AWS outage, but we learned from it. A crisis is the best exercise. You should not sweep anything under the rug, but learn from it, to be stronger the next time. But that rarely happens. Take the COVID pandemic, for example: when it was over, we breathed a sigh of relief and went back to business as usual.
When I worked for the Tax and Customs Administration, I experienced the same thing with the DigiNotar crisis. DigiNotar was a company responsible for issuing and managing certificates for business and government organizations. In 2011, they were hacked, which compromised the reliability of these organizations’ data traffic. Another example: a few years ago, we were hit by a nationwide telephone outage. For a long time, the provider was able to provide only very limited information. I wonder what conclusions were drawn from this. I am not convinced that we learn enough from real-life situations. We tend to quickly return to business as usual.’
AI can be an accelerator of cyber resilience. AI offers enormous opportunities, especially in detection, monitoring, and reporting, but it also creates new dependencies. How do you deal with this?
Van Eeten: ‘If we want to deal with AI properly, we first have to stop defining it as an independent phenomenon that we need to control. AI is embedded in everything, from your email filter to automatic climate control in buildings and, yes, also the use of ChatGPT and related applications. The question is not: should we track down AI models and identify them as potential problems? The question is: how do we get a clear picture of the IT infrastructure as a whole of interlocking processes? Research by Delft University of Technology among municipalities showed that risks can arise at the digital front door: at the point where one domain ends and another begins. If something goes wrong there, blame gets shifted back and forth, because there is no clear owner of the problem. Security is an enabler, not a process of ticking boxes. From that perspective, we can assess sensitive processes for their relevance. Too often, the focus is on being compliant: ‘If I do not flag this, I might be held responsible.’ The security of network and information systems is an issue to which everyone can contribute by helping each other and highlighting potential risks.’
Zwart: ‘AI can be very useful in preventing risks. At Vitens, you can submit your meter readings by taking a photo. By having the photo read by algorithms, we have made a huge leap forward. When meter readings are entered manually, mistakes are made. However, with the growth of AI, the threat from the enemy has also increased. This is becoming increasingly dangerous for our critical sectors. That is why it is good that we have started talking about security resilience. This broadens the focus, because resilience means more than just preventing incidents. It means making preparations, increasing your resilience, and preparing more resilient solutions.’
How big is the risk of shadow AI? AI tools such as ChatGPT and tracking apps can expose sensitive data to unsecured systems.
Zwart: ‘That risk is real. You cannot prevent this by desperately trying to ban all these tools from users. The only thing you have to keep doing is asking questions. Who uses what, for what purpose, and why is it necessary? Incorporate these insights into new plans and procedures. The plan-do-check-act cycle must be alive in every organization and managed transparently in decision-making consultation. That means that everyone is held accountable. Taking responsibility is the basis for a cohesive team that feels called upon to be alert to risks.’
Van Eeten: ‘Forcefully trying to eliminate risks is not the solution. I spoke to someone from the air force who said that when setting up an IT network in a war zone, so many safeguards are built in that it can take months for those networks to be online.
Some of the risks eliminated by these strict standards are very small. At the same time, you also run the risk of your troops not being able to use fully functional IT, and therefore are less effective. These should be proportionate risk assessments.’
Van Rooden: ‘In our ecosystem, in addition to a major supplier such as Microsoft, we also have projects running with startups that are experimenting with AI with us. AI will enable us to significantly improve parts of healthcare. Think of speech recognition, for example. We apply the principle of security by design, which means we integrate security and compliance during development and not afterward.’
Interview by Nadeem de Vree, VP Networking & Security at KPN. Published in Management Scope 02 2026.
This article was last changed on 02-02-2026