The Netherlands' Cybersecurity Act Is Almost Law — What You Need to Know Now

The Dutch parliament approved the Cyberbeveiligingswet (Cbw) on 15 April 2026. After missing the original EU transposition deadline by 18 months, the Netherlands now has its NIS2 implementation law — and enforcement will follow within weeks of it entering into force.

If your organisation operates in the Netherlands, or if you supply to Dutch organisations in regulated sectors, here is what you need to know.

Why the Netherlands Was Late

The EU required all Member States to transpose NIS2 into national law by 17 October 2024. The Netherlands missed that deadline. The draft Cyberbeveiligingswet was submitted to parliament on 2 July 2024, but legislative procedures delayed the process.

The House of Representatives passed the law on 15 April 2026. Senate approval and publication in the Staatscourant are the final steps before entry into force — expected in Q2 2026.

During the delay, organisations could register voluntarily with the NCSC from 17 October 2024. Most did not.

NIS2 Implementation Status by Country (2025–2026)
✅Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

What the Cyberbeveiligingswet Requires

The Cbw is a direct transposition of the NIS2 Directive. It does not add significant Dutch-specific measures on top — it implements the EU framework as written.

That means the same obligations that apply in Germany, Belgium, and Portugal now apply in the Netherlands:

Scope. Organisations with more than 50 employees or more than €10 million in annual turnover operating in one of the 18 NIS2 sectors are in scope. This includes energy, transport, healthcare, drinking water, digital infrastructure, ICT service management, public administration, and more.

Registration. In-scope organisations must register with their designated national authority. In the Netherlands, that is the RDI (Rijksinspectie Digitale Infrastructuur) for most sectors, with the NCSC playing a coordinating role. Registration deadlines will be set once the law enters into force.

Article 21 security measures. Every in-scope organisation must implement the ten cybersecurity risk management measures: risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cryptography policies, access control, MFA, and cybersecurity training.

Incident reporting. Significant incidents must be reported to the NCSC within 24 hours (early warning), 72 hours (full notification), and one month (final report).

Board accountability. Management bodies are personally responsible for approving and overseeing cybersecurity measures. Article 20 of NIS2 — and its Dutch equivalent — makes this non-delegable.

Who Supervises Whom

The Netherlands has chosen a multi-authority supervisory model. The RDI is the primary national competent authority, but sector-specific regulators also play a role:

DNB (De Nederlandsche Bank) for banking and financial market infrastructure
ACM (Autoriteit Consument & Markt) for digital infrastructure and ICT service providers
RDI for most other sectors

This matters in practice: your supervisor determines what registration looks like, what audits look like, and who issues binding orders or fines.

What Fines Look Like

The Cbw follows the NIS2 penalty framework:

Essential entities: up to €10 million or 2% of global annual turnover, whichever is higher
Important entities: up to €7 million or 1.4% of global annual turnover

Beyond financial penalties, supervisors can issue binding remediation orders, impose temporary operational restrictions, and — in serious cases — request temporary bans on management functions. These are not hypothetical sanctions. Germany's BSI and Belgium's CCB have already used their equivalent powers.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose▼
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to▼
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

What Dutch Organisations Should Do Now

The law is passed. Entry into force is weeks away. Here is what matters right now.

1. Determine if you are in scope. Check your employee count, annual turnover, and sector classification. If you have more than 50 employees or €10 million in revenue and operate in a covered sector, you are almost certainly in scope — even if you have never dealt with cybersecurity regulation before.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

2. Prepare for registration. The RDI will open its registration portal once the Cbw enters into force. Having your organisation details, sector classification, and key contacts ready will speed up the process. Do not wait for the portal to open before gathering this information.

3. Start your Article 21 assessment. Registration is the administrative entry point. The real work is implementing the ten security measures. Most Dutch organisations have not started. A structured gap analysis against Article 21 requirements will show you exactly where you stand and what needs to happen first.

4. Put it on the board agenda. NIS2 is not an IT project. The Cbw makes management bodies directly accountable. If your board has not discussed NIS2 compliance, that conversation cannot wait until after the law enters into force.

5. Review your supply chain obligations. If you are an NIS2 entity, you are required to assess and manage cybersecurity risks in your supply chain. If you are a supplier to an NIS2 entity, expect new contractual cybersecurity requirements in the near future.

The Advantage of Acting Before Enforcement Starts

Germany's experience is instructive. Of approximately 29,500 in-scope organisations, around 18,000 missed the BSI registration deadline. They are now dealing with a regulator that has the authority to audit, fine, and hold directors personally liable — without any preparation.

The Netherlands is not there yet. Entry into force is still weeks away. That gap — small as it is — is still an advantage for organisations that use it.

A structured readiness scan takes minutes and tells you exactly where your compliance gaps are against all ten Article 21 measures. Start the free NIS2 readiness scan before the registration deadline arrives.

The Cbw Is Live — What Comes Next

Parliament has voted. The Senate and Staatscourant are formalities at this point. The RDI is preparing its supervisory infrastructure. The NCSC is ready to receive registrations.

For the vast majority of Dutch organisations that have not yet started — the question is no longer whether NIS2 applies. It is how far behind they already are.