Contact Us
NIS2 & Compliance

NIS2 and SASE: comply with the Cyber Resilience Act on one platform

The Dutch Cyber Resilience Act, the national transposition of the European NIS2 Directive, is approaching enforcement in Q2 2026. For organisations in logistics, manufacturing, business services and other designated sectors, this is not a future hypothetical. It is a concrete obligation with personal director liability, reporting deadlines and registration requirements.

The pragmatic question every IT and security leader is asking right now is: how do we meet the technical obligations without building a separate compliance project on top of an already complex security landscape? The answer many organisations come to is: SASE. Not because SASE is sold as a compliance product, but because the technical capabilities NIS2 requires are exactly what a mature SASE platform delivers as standard.

This article explains which obligations apply, how SASE addresses them at the technical level, and why a converged platform like Cato Networks delivers compliance as a byproduct rather than a separate workstream. For the broader strategic context, see our SASE guide for international organisations.

Plan an assessment See a demo
Cato Networks expertise
Momentum EMEA implementation
What you will learn

What you will learn in this article

  • Whether your organisation falls under the Cyber Resilience Act and what the sectoral and size criteria are.
  • The three main obligations of NIS2: duty of care, reporting obligation and registration obligation.
  • How SASE covers the technical NIS2 measures, the compliance mapping per requirement.
  • Supply chain security, the often-forgotten NIS2 obligation and how SASE helps.
  • One audit trail for all obligations, demonstrable to supervisors without manual report assembly.

This article maps NIS2 obligations to SASE capabilities so you can see exactly where compliance is technically addressed:

  1. Does your organisation fall under the Cyber Resilience Act?
  2. The three main obligations of NIS2
  3. How SASE covers the technical NIS2 measures: the compliance mapping
  4. Supply chain security: the forgotten NIS2 obligation
  5. Demonstrably compliant: one audit trail for all obligations
  6. Momentum EMEA as NIS2 implementation partner
  7. Frequently asked questions about NIS2 and SASE

Does your organisation fall under the Cyber Resilience Act?

NIS2 applies to two categories of organisations: essential entities and important entities. Both have similar technical obligations; the main difference is the level of supervision and the size of potential fines.

Essential entities include sectors like energy, transport, banking, healthcare, drinking water and digital infrastructure. Important entities cover postal and courier services, waste management, manufacturing of critical products, digital providers and research organisations. For both categories, the size threshold typically starts at 50 employees and 10 million euros annual turnover, though sector-specific exceptions apply.

A pragmatic first check: if your organisation is critical to operations of essential services, employs more than 50 people and operates across multiple sites, you are almost certainly in scope. Even when you are not directly in scope yourself, the supply chain obligations of your customers can effectively pull you in via contractual flow-down.

The three main obligations of NIS2

NIS2 imposes three overarching obligations on essential and important entities. Understanding them is the starting point for any technical compliance strategy.

Duty of care. The organisation must take appropriate technical and organisational measures to manage cyber risks. The directive lists ten minimum categories, including incident handling, business continuity, supply chain security, encryption and access control. These are not optional; the supervisor expects evidence.

Reporting obligation. Significant incidents must be reported to the national supervisor within strict deadlines: 24 hours for an early warning, 72 hours for an incident notification and one month for a final report. The clock starts at detection, not at containment.

Registration obligation. The organisation must register itself with the national authority. In the Netherlands this is the Digital Trust Centre. Registration includes designating a contact person, listing relevant sectors and providing technical contact information.

Expert insight

"NIS2 is not a tooling problem. The technical measures it requires, access control, logging, encryption, monitoring, are things any mature SASE platform delivers without thinking about NIS2. The hard part is governance: who owns the policies, who signs the audit trail, who reports the incident within 24 hours. That is where the right implementation partner makes the difference."

Momentum EMEA, EMEA's leading Cato Networks implementation partner

How SASE covers the technical NIS2 measures: the compliance mapping

Article 21 of NIS2 lists ten categories of technical and organisational measures. The interesting observation, when you map these to a mature SASE platform like Cato, is that seven of the ten are addressed by SASE as standard configuration.

Access control and identity management. ZTNA on the SASE platform delivers identity-driven, least-privilege access with continuous verification. Every access decision is logged with user, device, application and policy context, the exact evidence an auditor wants to see.

Encryption. All traffic over the SASE backbone is encrypted in transit. The single-pass engine decrypts only inside the cloud security stack for inspection and re-encrypts before forwarding. No plaintext traffic crosses public infrastructure.

Logging and incident detection. The platform's unified logging produces a single audit trail spanning network and security events. Detection capabilities include behavioural anomaly detection, threat intelligence correlation and AI-driven analysis through Cato CTRL.

Business continuity. The 4G/5G backup standard in the Cato Socket, combined with the global private backbone, provides connectivity resilience without manual failover.

Supply chain security. Third-party access via ZTNA is identity-bound and time-limited. Suppliers and contractors get exactly the access they need, for as long as they need it, fully logged.

The three categories that SASE does not directly address (governance, asset management, secure development practices) require process work alongside the platform. We document this in our implementation guide on Cato Networks implementation from intake to live network.

Supply chain security: the forgotten NIS2 obligation

Article 21(2)(d) explicitly requires supply chain security: securing relationships with direct suppliers and service providers. In practice this is where many organisations fall short. The classical solution, granting VPN access to suppliers and contractors, is exactly what NIS2 forces to be reconsidered.

ZTNA on the SASE platform changes this fundamentally. Every supplier session is identity-bound, scoped to specific applications, time-limited and continuously logged. Posture checks on the supplier's device verify endpoint hygiene before access is granted. Revocation is instant: closing access to a departed contractor is a console click, not a firewall rule update.

For organisations with dozens of third-party access relationships, this is the difference between "we have policies" and "we can prove the policies are enforced". The latter is what NIS2 supervisors expect.

Demonstrably compliant: one audit trail for all obligations

Compliance auditing is not about having the right technology; it is about being able to prove you do. The classical compliance challenge is that the evidence sits in twelve different tools (firewall logs, VPN logs, SIEM events, identity provider audit trails, etc.) and assembling a coherent narrative for an auditor takes weeks of manual work.

The platform approach inverts this. All traffic flows through the Cato single-pass engine, all decisions are logged with full context, all events feed into one data layer. An auditor query that previously required SQL across multiple log stores becomes a console filter. Reports that took weeks to compile become standard exports.

This is what we mean when we say compliance becomes a byproduct of the architecture rather than a separate workstream.

Momentum EMEA as NIS2 implementation partner

The technical platform is one half of the answer; the implementation partnership is the other. As EMEA's leading specialised Cato implementation partner, Momentum EMEA combines carrier-neutral underlay (the internet connectivity itself) and Cato SASE overlay (the security and access control) from one contract, one SLA and one team.

For NIS2 compliance specifically, this means a single accountable partner for the technical environment that produces the audit evidence. Our quarterly reviews include compliance posture reporting; our incident response procedures align with the 24/72-hour NIS2 reporting clock.

Further reading

In-depth guides in this cluster

SASE guide

SASE guide

Read the article →

What is SASE

What is SASE

Read the article →

Cato platform

Cato platform

Read the article →

NIS2 enforcement starts Q2 2026. Are you ready?

Our Cato specialists are happy to walk through your current architecture and show exactly which NIS2 obligations are addressed and where the gaps are. In 30 minutes you have a concrete picture of your compliance posture and the fastest route to demonstrable compliance.

Plan an assessment See a demo

Or call directly: +31 20 226 1500. Momentum EMEA, Ede

Frequently asked questions

Frequently asked questions about NIS2 and SASE

When does the Dutch Cyber Resilience Act take effect?

The Dutch Cyber Resilience Act, the national transposition of NIS2, is approaching enforcement in Q2 2026. From that date, supervisors can investigate and impose fines. Practically, organisations should be technically ready well before that date because audit cycles take time.

Does my organisation fall under NIS2?

If you operate in one of the essential or important sectors (energy, transport, healthcare, water, digital infrastructure, manufacturing of critical products, etc.) with more than 50 employees and over 10 million euros annual turnover, you are almost certainly in scope. Even outside direct scope, supply chain obligations from in-scope customers can pull you in.

Which NIS2 obligations does SASE cover?

SASE addresses access control, encryption in transit, logging, incident detection, business continuity and supply chain security as standard configuration. Three categories (governance, asset management, secure development) require process work alongside the platform.

What is the difference between NIS2 and GDPR?

GDPR governs the processing of personal data; NIS2 governs the cyber security of network and information systems for essential and important entities. They overlap in technical measures (access control, encryption, logging) but the scope and supervisory regime are distinct. Most organisations need to comply with both.

How fast must we report an incident under NIS2?

NIS2 imposes a three-step clock: 24 hours for an early warning, 72 hours for an incident notification with details, and one month for a final report. The clock starts at detection, not containment. Practically this means automated detection and a clear incident response workflow are mandatory.

How does Momentum EMEA support NIS2 compliance?

As EMEA's leading specialised Cato implementation partner, we deliver the technical environment that produces the NIS2 audit evidence. Quarterly compliance posture reviews, alignment with the 24/72-hour reporting clock and single accountable contact for the technical environment.