NIS2 and AI Agents: What You Need to Know
The EU is getting serious about cybersecurity. NIS2 (Directive 2022/2555) is the new framework that will force thousands of companies to step up their game — including those building or using AI agents.
But here’s the catch: NIS2 doesn’t mention “AI” or “AI agents” anywhere. The law was written before the ChatGPT explosion. Yet if your agent touches critical infrastructure, the entire system falls under NIS2 rules.
And directors can be personally liable if they ignore it.
NIS2 does not specifically mention “AI” or “AI agents” (the law was mostly written before the big AI boom). However, if your AI agent is used in a NIS2-covered sector or service, the whole system falls under NIS2 rules.
Ignorance is not a defense. Your AI agent is in scope. Start preparing now.
What Is NIS2?
NIS2 (Network and Information Security Directive 2) is the EU’s flagship cybersecurity legislation. It replaced the outdated NIS1 directive and significantly expands the scope of companies that must comply.
It applies across all EU member states, including the Netherlands, where it will be implemented through the Cyberbeveiligingswet (Cbw) expected in 2026.
The directive divides organisations into two categories:
- Essential entities — critical infrastructure in energy, transport, healthcare, banking, digital infrastructure, etc. These face stricter supervision and heavier fines.
- Important entities — medium and large companies in manufacturing, digital services, cloud providers, data centers, postal services, etc.
If your AI agent is used by — or deployed within — any of these sectors, NIS2 applies to you.
Why AI Agents Are in the Crosshairs
AI agents are different from traditional software. They’re not just passive systems waiting for commands. They actively plan, use tools, call APIs, and make decisions autonomously.
This introduces new vulnerabilities that traditional security measures miss:
- Prompt injection — attackers trick your agent into following malicious instructions
- Tool misuse — the agent calls the wrong API or uses a tool in an unintended way
- Privilege escalation — the agent gains access to systems it shouldn’t have
- Behavioral drift — the agent’s behavior changes over time as it learns from interactions
- Data leakage — the agent inadvertently reveals sensitive information in responses
If your AI agent is used in a critical service, attackers don’t need to break your server. They just need to talk to your agent.
📖 Related: Read the AI Agent Prompt Security Playbook →
The key point: if your AI agent supports or runs part of a critical service, your organisation must treat the agent as part of its “network and information systems” under NIS2. That means the agent is subject to all the directive’s requirements.
The 10 NIS2 Requirements for AI Agents (Article 21)
NIS2 Article 21 requires organisations to implement risk management measures across 10 specific areas. Here’s what each one means for AI agents:
| # | Requirement | What It Means for AI Agents | \
|---|---|---|
| 1 | Risk analysis & security policy | Regularly assess risks specific to your agent — prompt injection, API key exposure, tool abuse. Document everything. |
| 2 | Incident handling | You must detect, respond to, and report agent-related incidents within 24 hours. That means logging agent actions and having a response plan. |
| 3 | Business continuity & crisis management | What happens when your agent goes rogue? Ensure the agent’s failure doesn’t break critical operations. |
| 4 | Supply chain security | Vet your LLM provider. Vet your VPS provider. Vet your tools. If they have a vulnerability, so do you. |
| 5 | Secure acquisition, development & maintenance | Build agents “secure by design.” That means regular pentests before deployment, not after. |
| 6 | Vulnerability management & disclosure | Continuously scan for agent weaknesses. Have a process for receiving and fixing vulnerability reports. |
| 7 | Cybersecurity hygiene & training | Train your staff on agent-specific risks. They need to know prompt injection exists and how to spot it. |
| 8 | Cryptography & encryption | Protect data your agent uses or generates. API keys, chat histories, user inputs — all must be encrypted. |
| 9 | Access control & multi-factor authentication | Least privilege for agents. Your customer support agent doesn’t need database admin rights. Ever. |
| 10 | Use of secure configurations | Harden the infrastructure where agents run. No open SSH. No exposed databases. No mystery HTTP servers. |
NIS2 holds directors personally liable for non-compliance. If your AI agent causes a breach and you ignored these requirements, you could face fines — or worse. This isn’t just an IT problem. It’s a board-level risk.
Practical Compliance Steps for AI Agent Builders
If you’re building or using AI agents in the Netherlands (or anywhere in the EU), here’s what you should do right now:
- Inventory everything — Map every tool, API, data flow, and infrastructure component your agent touches. If you don’t know what your agent connects to, you can’t secure it.
- Run agent-specific risk assessments — Use frameworks like OWASP Top 10 for LLMs. Test for prompt injection, tool misuse, and privilege escalation.
- Schedule regular penetration tests — This is a direct compliance requirement. Automated scanners miss what human-led red teaming finds. This is exactly what I do.
- Build an incident response plan — Include scenarios like “agent was hijacked” and “agent leaked customer data.” Practice the response.
- Audit your supply chain — Who provides your LLM? Your hosting? Your tools? Do they have security certifications? If not, find new vendors.
- Document everything — Auditors will ask for logs, test reports, policies, and evidence of compliance. If it’s not documented, it didn’t happen.
When Does This Apply?
The deadline for EU member states to transpose NIS2 into national law was October 17, 2024. Some countries missed it. The Netherlands is expected to finalize its Cyberbeveiligingswet (Cbw) in 2026.
But don’t wait for the deadline. Many organisations are already preparing because supervision is coming — and non-compliance fines can reach €10 million or 2% of global annual revenue.
How I Can Help
NIS2 explicitly requires “regular penetration testing” and “secure acquisition, development & maintenance” of systems — including AI agents.
That’s exactly what I do. I break AI agents so you can prove to auditors (and attackers) that your systems are secure.
My services align directly with NIS2 requirements:
- Lite Pentest ($750) — Single agent assessment, key vulnerabilities, rapid results. Perfect for small teams getting started.
- Full Pentest ($3,000) — Comprehensive red team, detailed report, 1-hour debrief. For production agents handling sensitive data.
- Red Team ($5,000) — Two-week intensive, SOC2/ISO ready report, certificate of completion. For regulated industries.
- NIS2 Readiness Audit (custom) — Full assessment of your AI agent against NIS2 requirements. Documentation included for auditors.
NIS2 doesn’t mention AI agents by name. But if your agent touches critical infrastructure — healthcare, energy, transport, digital services — you’re on the hook.
Regular pentesting isn’t just good security anymore. It’s a compliance requirement.
Directors can be personally liable. Don’t wait for the fine. Or the breach.
Need a NIS2 AI Agent Readiness Audit?
Regular pentesting is a compliance requirement. I break AI agents so you don’t get broken — or fined.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your AI agent security.
Leave a Reply