Netherlands


(a) What is the NIS2 implementation status?

The Netherlands has adopted its NIS2 implementation law, the Cyberbeveiligingswet (Cbw). The Dutch Senate approved the Cbw on 7 July 2026 and the Act will enter into force on 15 August 2026. Until that date, the existing NIS1-based framework remains applicable. From 15 August 2026, entities falling within scope will be subject to the new NIS2-based obligations.

(b) What is the envisaged NIS2 implementation timeline?

Essential and important entities, as well as domain name registration service providers, may register with the National Cyber Security Centre (NCSC) on a voluntary basis pending the entry into force of the Cyberbeveiligingswet (Cbw) on 15 August 2026. From that date, registration will become mandatory for organisations falling within scope of the Cbw.

The competent authority and CSIRT functions are jointly exercised by the Ministry of Justice and Security and the NCSC pursuant to Article 16, supplemented by additional sector-specific authorities where applicable.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NIS2 Directive will replace the original NIS Directive, which was implemented in the Netherlands through the Network and Information Systems Security Act (Wbni) in 2018. Upon the entry into force of the Cyberbeveiligingswet on 15 August 2026, the Wbni will be repealed. Additionally, it is expected that supporting legislation and sector-specific regulatory frameworks will be aligned with the expanded obligations and scope introduced by NIS2.

(d) Who will be the supervisory authority and how are they preparing the market?

The Dutch Digital Infrastructure Authority (Rijksinspectie Digitale Infrastructuur; ‘RDI’) ensures the availability, continuity, and reliability of Dutch digital infrastructure. The RDI advises the Dutch legislator on laws and regulations, whilst ensuring independent and impartial enforcement and supervision.

Member states are required to support critical, essential and important entities in improving their resilience to digital threats. NIS2 also requires that essential and important entities are supported with advice and assistance by a CSIRT, the Dutch National Cyber Security Centre (NCSC). Further support from the government can further include information sharing, guidance and resilience enhancement tools, such as for conducting a risk assessment.

To support organisations in preparing for compliance, the Dutch National Cyber Security Centre (NCSC), acting as the national CSIRT, has developed extensive guidance on the Cyberbeveiligingswet, including a dedicated information portal, FAQs, a registration checklist, and a registration portal. In addition, the Dutch Digital Infrastructure Authority (RDI) has made available a NIS2 self-assessment tool to help organisations determine whether they fall within the scope of NIS2 and whether they qualify as an essential or important entity.

The NCSC has also encouraged organisations not to wait until the Cbw enters into force and to begin implementing cybersecurity risk management, incident response and governance measures in advance. This includes carrying out risk assessments, implementing cyber risk management measures, establishing incident reporting procedures, reviewing supply chain security arrangements and ensuring adequate board-level oversight of cybersecurity risks.

(e) What should you be doing/on the lookout for?

With the adoption of the Cyberbeveiligingswet (Cbw) by the Dutch Senate on 7 July 2026 and its entry into force scheduled for 15 August 2026, organisations should focus on achieving compliance with the new NIS2-based requirements rather than preparing for future legislation.

Essential entities, important entities and domain name registration service providers may register with the National Cyber Security Centre (NCSC) on a voluntary basis until 15 August 2026. From that date, registration through the NCSC registration portal will become mandatory for organisations falling within scope of the Cbw. Furthermore, organizations potentially in scope of NIS2 should seek consultation with their legal advisors in order to:

  • identify the scope of application of NIS2 to their business;
  • prepare for mandatory registration with the NCSC, including reviewing the NCSC registration checklist and gathering the required information;
  • get the management and relevant staff trained and educated about NIS2 requirements;
  • perform risk assessments to identify any gaps in compliance;
  • review governance arrangements and ensure adequate board-level oversight of cybersecurity risks;
  • assess incident response and reporting procedures; and
  • review supply chain and third-party risk management arrangements.

Contact

Olaf van Haperen E: olafvanhaperen@eversheds-sutherland.com

Robbert Santifort E: robbertsantifort@eversheds-sutherland.com

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

What will the European Cyber Directive NIS2 mean?

Discover more

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page