NIS2 & Managed Cyber Risk: continuous trust in your cyber security

The era of an annual, paper-based risk assessment is over,' says Bram van Tiel, Partner Cyber Security at PwC. 'NIS2 demands a structural, data-driven approach to cyber risk management. Organisations that establish this now will not be caught off guard later.'

More than a checklist

The Network and Information Security Directive 2 (NIS2) is the European directive aimed at strengthening digital resilience in essential and important sectors. The Netherlands is behind in its implementation, but the expectation is that the Cybersecurity Act will come into effect in the first half of 2026. Organisations subject to this legislation—such as providers of essential services including energy companies and healthcare institutions —must then be able to demonstrate in detail that they understand, manage and report their cyber risks.

Personal liability

‘Many organisations underestimate what NIS2 requires of them,’ Van Tiel observes in practice. ‘It’s not about ticking boxes, but about a fundamental change in how you deal with cyber risks. Board members are given explicit responsibility and can even be held personally liable if things go wrong. That makes NIS2 particularly urgent.’

Three pillars, one major challenge

The new NIS2 Directive and the resulting Cyberbeveiligingswet are built on three pillars:

1. Governance: The board holds ultimate responsibility for cyber security and must be trained to fulfil this role.
2. Measures: Organisations must establish an effective system for cyber risk management, including frequent identification, evaluation, monitoring and adjustment of risks and controls.
3. Reporting: Serious incidents must be reported within 24 hours, with follow-up reports within 72 hours and one month.

According to Van Tiel, the core challenge lies in the second pillar: the measures. 'NIS2 does not prescribe exactly which measures you must take, but it does require mature cyber risk management (‘appropriate and proportionate’). You need to know which risks are most significant for your organisation, what impact they may have externally, and which measures are necessary to reduce those risks to an acceptable level.'

From paper to data-driven control

NIS2 marks a significant step forward towards alert, digital and real-time monitoring. Van Tiel: 'Many organisations still conduct their cyber security analyses in a policy-driven, paper-based manner, not yet digitally linked to their actual systems. As a result, such an analysis is often just a snapshot, a paper certainty, the situation might already be different the next day. NIS2 takes the next step: it makes cyber security a continuous process, where you constantly adjust based on up-to-date data and threats.'

Continuously alert

PwC supports organisations in making this transition with the Managed Cyber Risk (MCR) platform. 'With MCR, we bring together cyber risks and controls in one integrated platform,' says Nick Ho-Sam-Sooi, Manager Cyber Security at PwC. 'Through dashboards, MCR provides clear insight into the effectiveness of measures, where risks are present, how they are developing, and what they could mean for the organisation—operationally, commercially and financially.'

One dashboard for board and operations

The Managed Cyber Risk platform collects data from existing security systems and IT processes, creating a current overview of risks, vulnerabilities and the effectiveness of controls. 'The platform is designed so that the board can see the big picture and whether the organisation remains within agreed risk boundaries, while operational teams can zoom in on the details,' explains Ho-Sam-Sooi. 'This helps organisations make informed decisions, for example, about where additional investment in security will have the greatest impact.'

A key advantage, he emphasises, is that the tool also automatically reports in line with regulatory requirements. 'This makes it easier to demonstrate, both internally and externally, that you truly have your cyber risks under control.'

Measures that matter

According to Van Tiel, organisations should not wait for exact guidelines when setting up their cyber security. 'There are measures relevant to every organisation: clear and concrete policies, data encryption, access control, patch management, regular system testing, and crisis response training. But the real value lies in the coherence: knowing what is most risky and prioritising accordingly.'

Data-driven risk management supports this. 'With the data you already have—from your IT systems, vulnerability scans or training platforms—you can gain a sharp picture of your resilience,' says Van Tiel. 'You see which measures are truly effective and where you still need to adjust. This is not only more efficient; it is also the only way to become NIS2-compliant.'

From baseline measurement to continuous improvement

We guide organisations throughout the entire process: from baseline measurement to structural embedding. The first step is often a NIS2 gap assessment, mapping out where the organisation stands and what is still needed. PwC then assists in establishing a continuous process of monitoring and improvement.

This can proceed swiftly. 'On average, a gap assessment takes around six weeks,' says Van Tiel. 'Setting up a data-driven risk management structure with Managed Cyber Risk can be achieved within two to three months. In four to five months, you can establish a solid foundation. This not only supports your NIS2 compliance, but also structurally increases your resilience.'

Awareness over fear

Van Tiel emphasises that PwC deliberately avoids fear-based communication regarding NIS2. 'We do not want to frighten organisations with threat statistics or horror stories about hackers and ransomware attacks. It’s about awareness and responsibility. Board members must understand their role and know that there are resources to manage it properly.' This provides certainty and opportunities: 'By structurally embedding cyber security, you build trust with clients, suppliers and regulators.'

Current and reliable

According to Ho-Sam-Sooi, the greatest value of Managed Cyber Risk is the ability to continuously steer based on up-to-date information. 'The platform provides a continuous, current and reliable view of your cyber security and risks. This enables you to respond more quickly to new threats and prevents decisions based on outdated assumptions.' Moreover, the solution makes the impact of investments visible. 'You can see exactly what effect a measure has on your risks and what the expected return is in terms of risk reduction. This also makes cyber security financially manageable.'

A unique opportunity

The message is clear: organisations must act now. Van Tiel: 'The law is coming, but in fact, the Netherlands should have implemented NIS2 as early as October 2024. You should already be compliant. Those who are only starting now will soon be behind.'

His advice: map out your current position. Use all the data you already have. And work step by step towards a continuous cyber security process. 'NIS2 and cyber security are not a project; they represent a new way of working securely. And with the right approach, they offer a unique opportunity to take the lead.'

Would you like to know how your organisation is positioned?  

Take the NIS2 Readiness Assessment or sign up for the PwC Academy NIS2 training.