The Cyberbeveiligingswet: what does the Dutch implementation of NIS2 mean for your organisation?
Cyberattacks are making headlines with increasing frequency. Telecom provider Odido suffered one of the largest data breaches in Dutch history, healthcare software provider ChipSoft was hit by ransomware, and organisations such as Rituals, Booking.com and Basic-Fit also faced major data incidents in recent months. And these are just the headline cases from the first months of 2026.
To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the European NIS2 Directive entered into force in January 2023. The Netherlands is now translating that into national law through the Cyberbeveiligingswet (Act).
Are you a board member, compliance officer or legal adviser? Then now is the time to understand what this law means for your organisation.
Where things stand: what already applies and what does not?
The NIS2 Directive entered into force at EU level on 17 October 2024 and must be implemented by all member states. In the Netherlands, this is happening through the Cyberbeveiligingswet, which was adopted by the House of Representatives on 15 April 2026 and is currently pending before the Senate.
The substantive obligations, including the duty of care, reporting obligations and registration requirements, do not yet formally apply. However, the law is expected to enter into force in Q2 2026. Around 8,100 organisations are estimated to fall within scope. Organisations are already being urged by the government to prepare.
Does your organisation fall under this law?
Essential and Important Entities
The Cyberbeveiligingswet distinguishes between two types categories:
Essential entities: organisations operating in critical sectors listed in Annex , plus ministries, provinces, municipalities, water authorities, and entities designated as critical under the Wet weerbaarheid kritieke entiteiten (Critical Entities Resilience Act).
Important entities: organisations in sectors listed in Annex 1 or 2 that do not qualify as essential but do meet the size criteria.
Compared to the current Wbni, significantly more sectors and organisations fall within the scope of the new law. The Wbni will be formally repealed when the Cyberbeveiligingswet enters into force.
The three core obligations
1. Duty of care: technical and organisational measures
The Act requires organisations to take appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks and limit the impact of incidents.
Article 21 sets out 10 baseline measures that every in-scope organisation must implement as a minimum. These include:
risk analysis and security policies
incident handling
business continuity planning (think backup management and crisis procedures)
supply chain security
cyber hygiene and training
cryptography
access control, and the use of multi-factor authentication.
What the Act deliberately does not prescribe is how you implement them. That is for you to determine based on your own risk analysis. Compliance frameworks such as NOREA and Auditdienst Rijk frameworks, ISO 27001 and NEN 7510 could be useful frameworks for structuring your approach. However, using a recognised standard does not automatically mean you meet the legal requirements. You still need to ensure the specific measures from the underlying Cyberbeveiligingsbesluit (Cybersecurity Decree) are part of your security package.
Please note that the duty of care also extends to your suppliers and service providers. Organisations are expected to assess supply chain risks as part of their cybersecurity approach. If you haven't had that conversation with key suppliers yet, now is a good time to start.
2. Duty to report: significant incidents must be reported
If your organisation experiences a significant incident, you are obliged to report it to both the NCSC (as CSIRT) and the competent supervisory authority.
The good news is that the dual reporting obligation is being designed as a single action. One submission reaches both parties simultaneously.
3. Registration obligation: central registration via eHerkenning
Essential and important entities must register centrally with the NCSC via eHerkenning (the Dutch government digital identification system). The information you will need to provide include contact details, IP ranges, and the sector(s) in which the entity operates. Registration details must be kept up to date.
Board-level accountability: cybersecurity is not just an IT matter
One of the most significant changes is that cybersecurity becomes an explicit board-level responsibility.
According to Article 24 board members must approve and oversee cybersecurity risk management measures and demonstrate sufficient knowledge to identify and assess cyber risks. Existing and newly appointed board members must comply with the knowledge requirements within two years, and knowledge must be kept up to date through ongoing training.
A training certificate is one way to demonstrate compliance. The specific requirements are set out in the Cyberbeveiligingsbesluit (Cybersecurity Decree).
The underlying message is straightforward: cybersecurity is a boardroom responsibility, not something to delegate entirely to IT. Directors who fail to meet these obligations may face personal liability.
Supervision and enforcement: who is watching?
The Supervisory Authority
Supervision is organised by sector and carried out by designated regulators such as the RDI and DNB.
Different Levels of Scrutiny
Essential entities are subject to proactive, comprehensive supervision. This includes i.e. security scans, security audits, inspections and the possible appointment of a monitoring officer (controlefunctionaris), regardless of whether anything has gone wrong.
Important entities are subject to reactive supervision only. The authorities can only step in once they have received signals or evidence suggesting a possible breach.
Sanctions
Supervisors can impose binding instructions, penalty payments and significant administrative fines up to €10 million or 2% of global annual turnover for essential entities.
Assistance from the CSIRT
In-scope organisations can call on the NCSC's Computer Security Incident Response Team (CSIRT) when incidents occur. The CSIRT provides operational support in handling cyber security incidents, including early warnings, advice, threat information and, where relevant, guidance on reporting to law enforcement. The CSIRT also plays a coordination role between sectors and across EU member states.
Don't forget the physical side
The Cyberbeveiligingswet focuses on digital security. But if your organisation performs critical functions, the Wet weerbaarheid kritieke entiteiten (Wkke) sits alongside it and covers physical security against natural disasters, accidents, terrorism and sabotage. Organisations designated as critical under the Wkke automatically qualify as essential entities under the Cyberbeveiligingswet. For a complete picture of your risk profile, you need to look at both.
What can you do today?
You do not need to wait for the Act to enter into force. In fact, you should not. Here are some concrete steps you could take today:
Run the self-assessment to find out whether your organisation falls within scope and under which category (Self-Evaluation Tool)
Put it on the board agenda. Directors need to understand what is coming and what their personal obligations will be.
Review your current cybersecurity measures and identify where improvements are needed.
Work through the 10 security measures in Article 21 of the Cyberbeveiligingswetas your starting framework.
Talk to your suppliers about their security posture. The chain responsibility applies to you too.
Do you have questions about the Cyberbeveiligingswet or would you like to understand what the obligations mean for your specific situation? Feel free to contact us.