NIS2 Country Guide

NIS2 Netherlands: Cybersecurity Act, Authorities & Key Requirements

Understand how the Netherlands is implementing the NIS2 Directive (EU) 2022/2555 through the new Cybersecurity Act (Wet Cyberveiligheid), which entities fall under the expanded scope, how supervision and incident reporting will work, and which steps you should take to get ready.

Get Ready Checklist Get Consultation
Netherlands Cybersecurity Act: Pending Final Adoption Coordinated by: NCSC & Ministry of Justice & Security

Introduction: NIS2 Directive & the Dutch context

The Netherlands is preparing a comprehensive cybersecurity law, the Wet Cyberbeveiliging (Cybersecurity Act), which will implement the NIS2 Directive.

NIS2 will extend obligations to many more sectors and organisations, including medium-sized companies and IT/managed service providers. Dutch authorities are currently finalising the act and secondary regulations.

Quick link: Before reading details for the Netherlands, see “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in the Netherlands

The Dutch government is implementing NIS2 through the new Wet Cyberbeveiliging (Cybersecurity Act). This act will:

  • replace the current Wbni law,
  • expand the scope to many more organisations,
  • introduce new obligations for governance, risk management and supply chain security,
  • strengthen supervisory powers of Dutch authorities,
  • introduce stricter reporting rules for cybersecurity incidents.

Status

The draft Wet Cyberbeveiliging was published for public consultation in 2024. The legislative process is ongoing, with adoption expected in 2025. The Netherlands did not meet the EU transposition deadline of 17 October 2024, but implementation is at an advanced stage.

Current law

Wbni (2018) remains in force until the new Cybersecurity Act replaces it.

Key change

NIS2 brings a much larger scope of essential and important entities, including digital infrastructure, healthcare providers, manufacturing, waste management, postal services, cloud & MSPs.

NIS2 Netherlands: what you need to know about compliance & supervision

The Netherlands will follow the NIS2 essential/important entity model, with strong emphasis on incident reporting, governance, supply-chain security and minimum security measures.

Scope criteria

  • Organisations operating in sectors listed in Annex I or II of NIS2.
  • Medium-sized entities (≥50 employees or ≥€10m turnover) unless specifically excluded.
  • Certain entities covered regardless of size (DNS, TLD registries, cloud services, etc.).
  • MSPs/MSSPs and IT service providers are explicitly in scope.

Core obligations

  • Risk management & security policies (IT/OT)
  • Incident detection, reporting & response
  • Business continuity and crisis procedures
  • Supply-chain & vendor security controls
  • Encryption, access control, patching, vulnerability management
  • Board-level accountability & training

Standards & certification

Dutch regulators refer to ISO 27001, NIST CSF, CIS Controls and sector-specific regulations (healthcare, energy, finance). No single standard is mandated.

Incident reporting: Entities must report significant incidents to the NCSC-NL or their sectoral CSIRT within strict NIS2 timelines (early warning, 24 hours, 72 hours, final report).

Competent authorities & CSIRT

The Netherlands uses a decentralised supervisory structure, coordinated by the Ministry of Justice & Security.

RoleAuthorityNotes
National authority / NIS2 coordinator Ministry of Justice & Security Coordinates national NIS2 policy, enforcement and cross-sectoral standards.
National CSIRT NCSC-NL (Nationaal Cyber Security Centrum) 24/7 incident handling for essential entities; publishes national threat intelligence.
Digital Services Agentschap Telecom (RDI) Supervises digital infrastructure, cloud providers, data centers, DNS, IXPs.
Energy sector ACM & TSO/DSO coordination bodies Supervises operators in electricity, gas and district heating.
Healthcare Ministry of Health (VWS) Oversees hospitals, labs, digital health providers.
Finance DNB & AFM Coordinates NIS2 obligations with DORA regulation.

NIS2 timeline & key dates (Netherlands)

27 Dec 2022 — NIS2 Directive published.
17 Oct 2024 — EU transposition deadline (Netherlands missed).
2024 — Public consultation on draft Cybersecurity Act.
2025-2026 — Legislative process ongoing in Parliament.
Expected 2026 — Adoption and entry into force of the Wet Cyberbeveiliging, followed by transitional provisions as specified in the final Act.

Sector-specific requirements (Netherlands)

  • Energy: electricity, gas, oil, district heating overseen by ACM; strong alignment with EU sector rules.
  • Healthcare: hospitals, laboratories, e-health systems, diagnostic services.
  • Transport: air, rail, maritime and road infrastructure operators.
  • Digital infrastructure: data centres, DNS, IXPs, TLD registries, cloud hosting, MSPs.
  • Public sector: municipalities and government agencies affected where providing essential services.
  • Finance: coordinated with DNB/AFM under DORA.

Penalties for non-compliance

The Netherlands will apply NIS2’s EU penalty structure, including:

  • Up to €10 million or 2% of global turnover for essential entities.
  • Up to €7 million or 1.4% of global turnover for important entities.
  • Orders to take corrective action.
  • Mandatory audits and ongoing supervision.
  • Temporary suspension of activities in extreme cases.

Additional fines may apply under the Telecommunications Act and other Dutch regulations, depending on the sector.

How to prepare for NIS2 in the Netherlands

  1. Determine scope: identify whether you qualify as an essential or important entity.
  2. Perform a NIS2 gap assessment: compare existing controls to NIS2 requirements.
  3. Strengthen governance: ensure board accountability and assign security responsibilities.
  4. Update risk management: implement robust IT/OT security measures and monitoring.
  5. Review supply chain: update contracts to include supplier cybersecurity obligations.
  6. Prepare for reporting: set up incident detection and escalation procedures.
  7. Train staff & management: run awareness programs and tabletop exercises.
  8. Document everything: evidence policies, procedures, controls and improvements.
Run Eligibility Check Start Readiness Test

Official links & resources

🇳🇱 NCSC-NL — National Cyber Security Centre
📘 Internet Consultation Platform (Draft Cybersecurity Act)
📚 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in the Netherlands

Has the Netherlands implemented NIS2?
Not yet. The Cybersecurity Act is in the finalisation stage and expected in 2025. The Netherlands missed the EU deadline but is progressing towards full transposition.
What law will replace the Wbni?
The Wet Cyberveiligheid (Cybersecurity Act) will replace Wbni and align Dutch rules with NIS2.
Who will supervise NIS2?
Supervision will be shared between the Ministry of Justice & Security, NCSC-NL and several sectoral regulators, depending on the type of service.
Which entities will be in scope?
Essential and important entities from Annex I & II of NIS2, including energy, healthcare, transport, digital services, public administration, postal services, waste management, manufacturing and more.
Will NIS2 require ISO 27001 certification?
No mandatory certification is imposed, but ISO 27001 or similar frameworks (NIST CSF) provide strong alignment and are widely recommended.
Information provided for general guidance; consult official Dutch sources for updates as the Cybersecurity Act is finalised.