Why every accountant must act now
The NIS2 directive will take effect in the Netherlands in spring 2026. While many accountants believe this legislation is primarily relevant to large organizations and critical infrastructure, the reality is different: as a service provider in your clients’ supply chain, you are part of their cybersecurity responsibility.
The Supply Chain Reality
NIS2 requires organizations to not only ensure their own cybersecurity but also that of their suppliers and service providers. As an accounting firm, you have access to highly sensitive financial data, tax information, and strategic business information of your clients.
This makes you a critical link in their cybersecurity supply chain.
Why accountants are extra vulnerable
Cybercriminals know that accounting firms:
- Have access to the financial systems of multiple companies
- Manage sensitive data for dozens to hundreds of clients
- Are often trusted communication partners (ideal for phishing)
- Are usually smaller firms with limited IT budgets
- Have access to tax returns, payroll information, and bank accounts
A successful attack on your firm can lead to:
- Data breaches for multiple clients simultaneously
- Fraudulent payment orders via your email
- Damage to your reputation and liability claims
- Loss of clients covered by NIS2
Your Responsibilities under NIS2
1.As a service provider to NIS2-obligated clients
Do you have clients in sectors such as healthcare, energy, transportation, finance, or government? Then they may fall under NIS2 and are required to assess your cybersecurity. They must be able to demonstrate that their service providers (including you) have implemented adequate security measures. In concrete terms, this means:
- Your customers will demand cybersecurity guarantees
- You must be able to demonstrate what measures you have taken
- Incidents at your company can lead to mandatory reporting to your customers
- Poor security can lead to contract termination
2.As an independent organization subject to NIS2 compliance
Depending on your size and the nature of your services (for example, if you provide extensive digital or cloud services), you may also fall under the NIS2 legislation.
Practical Steps for Accounting Firms
Basic Cybersecurity Hygiene
1.Awareness Training for Your Team
- 90% of cyberattacks start with human error
- Regular phishing simulations and training are essential
- Employees must be able to recognize suspicious emails
2.Multi-Factor Authentication (MFA)
- Mandatory for all systems containing client data
- Especially critical for accounting, email, and cloud systems
3.Data Encryption
- Encrypt data at rest and in transit
- Use secure file transfers (no unsecured email)
4.Backup and Recovery
- Daily backups with offline/offsite storage
- Tested recovery plan for ransomware scenarios
5.Access Management
- Minimum access rights per employee
- Immediate termination upon termination
Compliance documentation
Ensure you can demonstrate:
- What security measures you have in place
- That employees receive regular training
- How you handle incidents (incident response) plan)
- What technical and organizational measures (TOMs) you have in place
- That you manage supplier risks (your own IT suppliers)
The business case
“Cybersecurity is expensive,” we often hear. But compare the costs:
Prevention: €50-150 per employee per year for awareness training and basic tools
Data breach: Average €100,000 – €500,000+ in:
- Forensic investigation and remediation costs
- Legal fees and fines
- Reputational damage and loss of clients
- Loss of productivity
- Potential liability claims
Opportunities for advisory accountants
NIS2 also offers opportunities:
- Advise your clients on their NIS2 obligations
- Position yourself as a trusted advisor in the field of cybersecurity
- Differentiate yourself from competitors through demonstrable security
- Develop new services around compliance and risk management
How Lupasafe helps accounting firms
Lupasafe offers a complete security awareness solution specifically suited for accounting firms and their SME clients:
- Automated phishing simulations in Dutch
- Practical e-learning modules on cybersecurity basics
- Compliance reports for NIS2 and ISO 27001
- White-label solutions to help your clients
- MSP-friendly platform for offices with multiple locations
→ Discover how Lupasafe makes your office NIS2-proof
Conclusion
NIS2 is no longer a future problem – it’s here now. As an accountant, you have a dual responsibility: securing your own organization and helping your clients with their supply chain security.
Start today:
- Identify clients that may fall under NIS2
- Assess your current security posture
- Implement basic security awareness
- Document your measures
- Proactively communicate with your customers about your security approach
The question isn’t if you’ll be attacked, but when. Are you prepared?
Read our article for directors and managers of SMEs about chain responsibility.
________________________________________
About INAA
INAA (International Association of Independent Accounting, Advisory, Law, and Professional Services Firms) is a global network of independent professional firms that offer accounting, tax, legal, and business advisory services, specializing in helping businesses with complex cross-border financial and regulatory challenges by connecting local expertise with global reach.
About Lupasafe
Lupasafe is a Dutch cybersecurity platform monitoring, compliance and awareness that helps organizations address the human factor in cybersecurity. With technical tools, phishing simulations, e-learning, and compliance tools, we help SMEs and their advisors become NIS2-compliant and more cyber-resilient. Lupasafe is INAA partner since 2023 and INAA members can benefit from cybersecurity services from Lupasafe at the lowest cost.