NIS2 Compliance Checklist for Dutch Municipalities

The NIS2 directive (EU 2022/2555) significantly expands the scope of cybersecurity regulation in the European Union. Dutch municipalities fall under the "essential entities" category through the Wet beveiliging netwerk- en informatiesystemen (Wbni). Unlike its predecessor, NIS2 introduces personal liability for management boards and fines up to €10 million or 2% of annual turnover.

For municipal IT departments, this means cybersecurity is no longer just an IT issue — it is a board-level responsibility. The good news: most of what NIS2 requires aligns with good IT practices you may already be implementing.

Article 21 requires municipalities to adopt appropriate and proportionate technical, operational, and organisational measures. Here is your checklist:

1. Risk analysis and information system security policies — Document your risk assessment methodology. Maintain a living risk register that covers all critical systems. Review quarterly.

2. Incident handling — Establish an incident response plan with clear escalation paths. Define what constitutes a "significant incident" (service disruption affecting >500 residents, data breach involving personal data, or financial impact exceeding €25,000).

3. Business continuity and crisis management — Maintain tested backup procedures. Document recovery time objectives (RTO) and recovery point objectives (RPO) for each critical system. Test failover annually.

4. Supply chain security — Assess the security posture of all ICT suppliers. Require contractual security obligations. Maintain a current vendor risk register.

5. Security in network and information systems acquisition, development, and maintenance — Implement vulnerability management. Patch critical vulnerabilities within 72 hours. Maintain a CMDB with accurate asset inventory.

6. Policies and procedures for assessing the effectiveness of cybersecurity risk management measures — Conduct internal audits. Schedule penetration tests at least annually. Track remediation of findings.

7. Basic cyber hygiene practices and cybersecurity training — Mandatory security awareness training for all staff. Phishing simulations quarterly. Privileged access training for IT staff.

8. Policies and procedures regarding the use of cryptography and encryption — Encrypt data at rest and in transit. Document your key management procedures. Use TLS 1.2+ for all external communications.

9. Human resources security, access control policies, and asset management — Implement least-privilege access. Conduct access reviews quarterly. Maintain an up-to-date asset register.

10. Use of multi-factor authentication — Enforce MFA for all administrative accounts, VPN access, and cloud services. Consider hardware tokens (FIDO2) for critical systems.

NIS2 introduces strict incident reporting timelines that municipalities must follow:

Early warning: Within 24 hours of becoming aware of a significant incident, submit an early warning to the CSIRT (for Dutch municipalities: the NCSC or the sectoral CSIRT).

Incident notification: Within 72 hours, provide a detailed incident notification including initial assessment, severity, and cross-border impact.

Final report: Within one month of the incident notification, submit a detailed final report including root cause analysis, mitigation measures taken, and cross-border impact.

To meet these timelines, you need automated incident detection, pre-built reporting templates, and clear internal escalation procedures. Manual processes will not be fast enough.

B-Brave Gatekeeper addresses NIS2 requirements through its integrated platform:

Asset management: The CMDB and network discovery engine automatically inventories all devices, maintaining the accurate asset register required by Article 21.

Vulnerability management: CVE tracking, end-of-life monitoring, and automated enrichment identify and prioritise vulnerabilities across your estate.

Incident detection: The built-in SIEM with correlation rules detects anomalies and generates alerts that feed directly into your incident response workflow.

Compliance tracking: The compliance module maps your controls to NIS2 articles, showing exactly where you stand and what gaps remain.

Reporting: Automated reports with evidence collection support the documentation requirements of Articles 21 and 23.

If you are a Dutch municipality starting your NIS2 compliance journey, focus on these three priorities:

1. Get your asset inventory accurate. You cannot protect what you do not know about. Automated network discovery is essential.

2. Establish your incident response process. Document it, test it, and make sure everyone knows their role.

3. Start your compliance mapping. Map your existing controls to NIS2 articles and identify the gaps. This gives your board a clear picture of where you stand and what investment is needed.

The enforcement deadline is approaching. Starting now with a structured approach is better than a rushed implementation later.