Netherlands

(a) What is the NIS2 implementation status?

The Netherlands has not yet adopted an NIS2 implementation law. A draft law (Cyberbeveiligingswet) is currently under legislative procedure and is expected to enter into force in 2026. Until adoption, the existing NIS1-based framework remains applicable, and no binding NIS2 obligations are yet in force.

(b) What is the envisaged NIS2 implementation timeline?

Under the Dutch NIS2 framework, essential and important entities, as well as domain name registration service providers, may register with the National Cyber Security Centre (NCSC) on a voluntary basis in accordance with Article 45.

At present, registration is voluntary. Mandatory registration obligations will apply once the relevant national NIS2 legislation enters into force.

The competent authority and CSIRT functions are jointly exercised by the Ministry of Justice and Security and the NCSC pursuant to Article 16, supplemented by additional sector‑specific authorities where applicable.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NIS2 Directive will replace the original NIS Directive, which was implemented in the Netherlands through the Network and Information Systems Security Act (Wbni) in 2018. Once the Cybersecurity Act (Cbw) enters into force, the Wbni will be repealed. Additionally, it is expected that supporting legislation – such as the Decree (Bbni) and the Ministerial Regulation (Regeling IenW) – will be amended to align with the updated obligations and expanded scope introduced by the NIS2 Directive.

(d) Who will be the supervisory authority and how are they preparing the market?

The Dutch Digital Infrastructure Authority (Rijksinspectie Digitale Infrastructuur; ‘RDI’) ensures the availability, continuity, and reliability of Dutch digital infrastructure. The RDI advises the Dutch legislator on laws and regulations, whilst ensuring independent and impartial enforcement and supervision. On 18 October 2023, the RDI launched its NIS2 self-assessment tool, which it developed in close coordination with relevant ministries and regulators for entrepreneurial Netherlands. Those who complete the self-assessment will know whether their organization falls under the scope of NIS2. It also helps to determine whether the organization is considered "essential" or "important" to the functioning of society and/or the economy according to NIS2. At the start of the consultation period (see above), the Dutch government will also announce action perspectives that can help organizations prepare for the upcoming Dutch legislation. Member states are required to support critical, essential and important entities in improving their resilience to digital threats. NIS2 also requires that essential and important entities are supported with advice and assistance by a CSIRT, the Dutch National Cyber Security Centre (NCSC). Further support from the government can further include information sharing, guidance and resilience enhancement tools, such as for conducting a risk assessment.

(e) What should you be doing/on the lookout for?

Despite the lack of legislation, the Dutch ministry advises companies to prepare for the law in the meantime by explaining the current Wbni in a NIS2-compliant manner. For example, companies can already carry out risk analyzes, make staff aware and tighten incident procedures.

Essential entities, important entities and entities providing domain name registration services can register with the NCSC on a voluntary basis from 17 October 2024. This registration will only be mandatory after the Cyber Security Service comes into effect. In order to ensure that entities can easily provide and manage the information for registration, the government has opted to set up a central registration functionality at the NCSC. It is also possible to voluntarily report incidents in this registration portal.

Furthermore, organizations potentially in scope of NIS2, should already seek consultation with their legal advisors in order to:

  • identify the scope of application of NIS2 to their business;
  • start compiling action- and checklists tailored to the business;
  • get the management and relevant staff trained and educated about NIS2 requirements;
  • perform risk analysis to identify any gaps in compliance.

Contact

Olaf van Haperen E: olafvanhaperen@eversheds-sutherland.com

Robbert Santifort E: robbertsantifort@eversheds-sutherland.com

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

What will the European Cyber Directive NIS2 mean?

Discover more

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page