NIS2 implementation in the Netherlands

Auteurs

Otto Sleeking

Associé

Amsterdam

A broader and more formal cyber security regime

NIS2 significantly expands the scope of regulated entities compared to the first NIS Directive, its predecessor. In addition to traditional operators of essential services, NIS2, and the soon to be implemented Cbw, now also capture a broad range of digital and infrastructure-related actors, including cloud providers, data center operators, managed service providers (MSPs), managed security service providers (MSSPs), online platforms and other digital infrastructure providers.

The Cbw will transpose these expanded categories into local Dutch law. As a result, many medium-sized and large organisations in the Netherlands that were previously outside the Wbni regime are likely to fall within the scope once the Cbw enters into effect. In line with NIS2, the Cbw also strengthens governance requirements. For instance, management bodies are required to approve and oversee cyber security risk management measures. Cyber security is therefore no longer solely an operational IT matter; it becomes a governance and accountability issue at board level. Organisations will need to demonstrate that risk assessments, mitigation strategies and risk acceptance decisions are documented and subject to appropriate oversight.

For some entities, this will primarily require formalising existing practices. For others, it may necessitate more substantial organisational adjustments.

Implementation in the Netherlands – the Cbw

The Dutch implementation of NIS2 closely follows the structure and minimum harmonisation model of NIS2 Directive itself. The Netherlands has not indicated that it intends to materially deviate from or expand upon the core NIS2 obligations. The distinction between essential and important entities, the risk management measures of Article 21 NIS2, the staged incident reporting regime and the differentiated supervisory model will be transposed substantially in line with NIS2.

Where the Dutch implementation differs in practice is in its institutional structure for supervision and the early preparation of operational tools. Rather than establishing a single central cyber security authority, the Cbw builds on the Netherlands’ existing regulatory landscape. Supervisory responsibility will be distributed across multiple authorities, depending on sector or activity. For example, digital infrastructure and managed services fall under the Netherlands Authority for Digital Infrastructure (RDI) but for the transport and water sectors, the Human Environment and Transport Inspectorate (ILT) will carry out a significant supervisory role, with sectoral ministries involved in policy alignment. These mappings reflect a sector-specific distribution of supervisory tasks, in line with how Dutch administrative law usually organises oversight.

A notable aspect of the Dutch approach is that preparatory steps have already been taken with respect to the registration obligations that arise from NIS2/Cbw. In line with Article 27 NIS2, the Cbw will introduce a registration obligation for in-scope entities. Although the Cbw has not yet entered into force, the Dutch authorities have already developed and made available a digital registration infrastructure in anticipation. Organisations that expect to fall within scope are therefore able – and encouraged – to prepare for registration in advance of formal commencement.

In practical terms, this means that while the substantive obligations will only become legally binding on entry into force of the Cbw, the operational groundwork for supervision, including registration, is already being put in place. The Dutch implementation does not materially alter the content of NIS2, but it demonstrates that supervisory readiness – particularly in relation to registration – is being actively prepared before the Cbw formally applies.

What organisations can do now

As indicated, the expected entry into force of the Dutch Cybersecurity Act in Q2 2026 provides a clear timeline for planning. Organisations that are likely to fall within scope should use this period proactively.

A structured preparatory approach may include:

assessing whether the organisation qualifies as an essential or important entity under the NIS2 classification framework, taking into account sector and size thresholds
determining where the organisation’s main establishment is located for jurisdictional purposes, particularly in cross-border group structures
reviewing governance arrangements to ensure that management oversight of cybersecurity risk management is clearly documented and formally embedded
evaluating supply chain risk management processes in light of NIS2 requirements
testing incident detection, escalation and reporting procedures against the timelines and standards introduced by the Directive
preparing the information that will be required for registration once the Dutch regime becomes applicable.

Although registration is not yet mandatory, it is advisable for entities that are aware that they will likely fall within the scope of NIS2/Cbw to monitor official communications closely and be prepared to register promptly once the Cbw enters into force. Early readiness will reduce implementation pressure and facilitate orderly compliance.

The delay in Dutch implementation provides additional preparation time, but it does not alter the substantive obligations that will apply. Organisations that are already aligning governance, documentation and risk management structures now will be better positioned when the Cbw becomes operational in the Netherlands.