A practical NIS2 guide for network managers and IT directors

The introduction of the NIS2 Directive does not mark a fundamental technological shift, but it does represent a clear change in expectations and responsibilities. For network managers and IT directors, NIS2 does not significantly alter what is technically required, but it substantially raises the bar on what must be demonstrable. In The Netherlands, this shift will become tangible as the Directive is transposed into national law and supervisory practice takes shape.

NIS2 does not demand perfect networks. It requires explicit, proportionate and continuous risk management. In large organisations, where networks have evolved over time and are inevitably heterogeneous, this presents a practical challenge. Legacy environments are not the exception; they are the starting point.

NIS2: strengthening the duty of care, not the technology

At its core, NIS2 builds on familiar principles: risk management, incident detection, resilience and governance. What changes is the formalisation of the duty of care, stricter incident notification requirements, and the introduction of personal liability for board members. This liability is often interpreted in technical terms, but that interpretation is misleading.

Board members are not made responsible for individual configuration decisions. They are responsible for being able to demonstrate that appropriate measures have been implemented, that risks have been assessed, and that they have been adequately informed. The quality of that information position largely determines whether the duty of care can be met.

The role of the network manager and IT director

For network managers and IT directors, NIS2 shifts responsibility from the implicit to the explicit. They remain accountable for availability and stability, but they also become the primary source of insight into technical risk at board level.

Their role is not to eliminate all risk, but to make risk visible, prioritised and explainable. In practice, this means being able to:

• identify which parts of the network are critical,
• understand the implications of configuration and design choices,
• and explicitly articulate risks arising from legacy systems or operational constraints.

Without this translation layer, a governance gap emerges in which liability becomes difficult to manage.

Inventory and control of the network landscape

A persistent issue in many organisations is the absence of a current, centralised overview of the network environment. Devices, software versions and configuration states are often spread across teams, tools and incomplete documentation.

NIS2 makes this lack of visibility a compliance-relevant issue. Risk-based management presupposes insight. Automated inventory and configuration control are therefore not optimisation measures, but foundational capabilities. Managed network services that support this structurally allow existing, heterogeneous environments to remain controllable without large-scale redesign.

Configuration management and demonstrability

Where network operations have traditionally relied heavily on experience and manual processes, NIS2 requires demonstrability. Changes must be traceable, deviations explainable, and control verifiable.

This elevates configuration management, change logging and periodic validation from operational best practice to governance necessity. The objective is not to satisfy audits for their own sake, but to ensure that the organisation can credibly demonstrate control of its network, even where complexity or technical debt is unavoidable.

Availability and resilience as security responsibilities

NIS2 explicitly frames availability as part of cybersecurity. Network architecture, redundancy and recovery capabilities therefore become directly relevant to compliance. Many networks are technically redundant but operationally fragile: failover mechanisms exist on paper but have never been tested under real conditions.

Systematic analysis of exposure helps to make these weaknesses explicit. Importantly, this extends beyond classic vulnerabilities to include design, configuration and dependency risks. Exposure management focuses on impact and interrelation, rather than isolated technical findings.

Legacy: explicit acceptance and controlled risk

A key, and often misunderstood, aspect of NIS2 is its treatment of legacy. The Directive does not require organisations to modernise for the sake of modernisation, but to control risk. Legacy components are permissible, provided their risks are understood and mitigated appropriately.

For network managers, this means that legacy must be documented and addressed openly, not obscured. Compensating measures such as stricter monitoring, segmentation, enhanced configuration control or restricted access are often more realistic and effective than wholesale replacement programmes. Targeted assessments and security consulting help to formalise these decisions in a defensible manner.

Board responsibility, liability and the information position

Personal liability under NIS2 primarily alters the relationship between the board and IT. Board members must be able to demonstrate that they were informed of material risks and that decisions were taken on that basis. This presupposes a mature and reliable flow of information from IT and network management.

Here, the responsibility of IT directors and network managers is clear: to provide consistent, comprehensible and realistic risk information. Not simplified, but translated into impact, likelihood and controllability. Independent audits and assessments often play a valuable role as an objective bridge between technical reality and governance requirements.

Looking ahead: from compliance project to permanent discipline

With the implementation of NIS2 in The Netherlands, compliance will move from a project-based exercise to a matter of continuous control. Supervisory focus is expected to be on demonstrability, proportionality and the maturity of management processes, rather than one-off initiatives.

For network managers and IT directors, this means that NIS2 is not an endpoint but a structural change in how networks are managed, documented and accounted for. In complex, heterogeneous environments, this is not a trivial challenge — but it is one that can be addressed through pragmatic risk management and sustained operational discipline.