Netherlands

(a) What is the NIS2 implementation status?

The Dutch legislator published (for Internet consultation) the draft Cybersecurity Act implementing the European NIS2 Directive. The consultation closed on 2 July 2024. This Act imposes, among other things, cyber resilience obligations on important and essential entities, such as taking adequate security measures and reporting ICT incidents. The current Wbni (implementing NIS1) will be repealed by this Act.

(b) What is the envisaged NIS2 implementation timeline?

After processing the opinions submitted during the public consultation period and mandatory advice by the Advisory Division of the Council of State, the bills can be submitted to the House of Representatives for parliamentary consideration, if necessary, after renewed consideration in the Council of Ministers.

The Dutch Ministry of Justice and Security warns in a letter to the House of Representatives that the implementation deadline in October for NIS2 will not be met. Due to the large number of ministries involved, complex content and countless legal and policy choices, drawing up these concepts takes more time than initially expected. In addition to the network and information security directive, the CER directive for protecting critical infrastructure is also not being achieved on time.

When the updated Wbni comes into force, from the moment on, the organizations that are established in the Netherlands, provide services or carry out activities in the Netherlands as part of Dutch critical infrastructure and (thus) fall in scope of NIS2, must in essence:

• register with the competent supervisory authority (see below)
• comply with their (expanded) duty of care
• analyse and ensure control over the supply chain
• comply with (tighter) reporting obligations
• implement adequate governance controls, and
• upgrade their cyber security risk management measures

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NIS2 Directive is the successor of the first NIS Directive, which was transposed in the first Network and Information Systems Security Act (Wbni) in the Netherlands in 2018. We expect also the Decree (Bbni) and Ministerial regulation (Regeling IenW) on Network and Information Systems Security will be amended for the purposes of NIS2.

(d) Who will be the supervisory authority and how are they preparing the market?

The Dutch Digital Infrastructure Authority (Rijksinspectie Digitale Infrastructuur; ‘RDI’) ensures the availability, continuity, and reliability of Dutch digital infrastructure. The RDI advises the Dutch legislator on laws and regulations, whilst ensuring independent and impartial enforcement and supervision. On 18 October 2023, the RDI launched its NIS2 self-assessment tool, which it developed in close coordination with relevant ministries and regulators for entrepreneurial Netherlands. Those who complete the self-assessment will know whether their organization falls under the scope of NIS2. It also helps to determine whether the organization is considered "essential" or "important" to the functioning of society and/or the economy according to NIS2. At the start of the consultation period (see above), the Dutch government will also announce action perspectives that can help organizations prepare for the upcoming Dutch legislation. Member states are required to support critical, essential and important entities in improving their resilience to digital threats. NIS2 also requires that essential and important entities are supported with advice and assistance by a CSIRT, the Dutch National Cyber Security Centre (NCSC). Further support from the government can further include information sharing, guidance and resilience enhancement tools, such as for conducting a risk assessment.

(e) What should you be doing/on the lookout for?

Despite the lack of legislation, the Dutch ministry advises companies to prepare for the law in the meantime by explaining the current Wbni in a NIS2-compliant manner. For example, companies can already carry out risk analyzes, make staff aware and tighten incident procedures.

Essential entities, important entities and entities providing domain name registration services can register with the NCSC on a voluntary basis from 17 October 2024. This registration will only be mandatory after the Cyber Security Service comes into effect. In order to ensure that entities can easily provide and manage the information for registration, the government has opted to set up a central registration functionality at the NCSC. It is also possible to voluntarily report incidents in this registration portal.

Furthermore, organizations potentially in scope of NIS2, should already seek consultation with their legal advisors in order to:

• identify the scope of application of NIS2 to their business;
• start compiling action- and checklists tailored to the business;
• get the management and relevant staff trained and educated about NIS2 requirements;
• perform risk analysis to identify any gaps in compliance.