NL transposition

NIS 2 Status in the Netherlands

The Netherlands transposes the EU NIS 2 Directive through the Cyberbeveiligingswet (Cbw). The legislative process ran late, so Dutch entities should track both the EU floor and the Cbw text now in the Tweede Kamer.

Simon OrzelSimon Orzel·

Overview

The legal foundation is the EU NIS 2 Directive (2022/2555). It sets the floor for cybersecurity obligations across every member state. The Netherlands writes that floor into national law through the Cyberbeveiligingswet (Cbw), which replaces the older Wbni (Wet beveiliging netwerk- en informatiesystemen) that implemented NIS 1.

The 17 October 2024 EU transposition deadline was missed by the Netherlands and by most member states, including Germany. The Dutch bill went through public consultation in 2024, was submitted to the Tweede Kamer in 2025, and is expected to enter into force during 2026. The Commission opened an infringement procedure against the late member states.

Once Cbw enters into force, obligations apply without a transition window, mirroring how Germany handled BSIG. Two practical anchors hold today: the EU directive itself, and the published Dutch draft. Use both when scoping work.

Legal Anchor
Three layers stack: the EU directive, the EU implementing regulation, and the Dutch transposition.

EU Directive

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2).

Sets risk management obligations (Art. 21), incident reporting (Art. 23), management body accountability (Art. 20), and registration of entities (Art. 27). Member states must transpose into national law but cannot go below the floor.

EU Implementing Regulation

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 (CIR).

Specifies in detail what Art. 21 measures look like for digital infrastructure, DNS, cloud, data centre, content delivery, managed service providers, and online marketplaces. Directly applicable in the Netherlands without further national act.

Dutch Transposition

Cyberbeveiligingswet (Cbw), Dutch government bill currently before parliament; the older Wbni stays in force until Cbw takes effect.

Cbw assigns supervision and CSIRT roles, defines essential and important entities for the Netherlands, and adds national specifics such as fees, designation procedures and sector handovers. Articles cited in this page refer to the published consultation draft and may change before adoption.

Three Building Blocks
Every NIS 2 national regime, the Netherlands included, holds the same three building blocks.
Law

Cyberbeveiligingswet (Cbw)

Transposes Articles 1 to 41 of NIS 2 into Dutch law. Defines essential (essentiële) and important (belangrijke) entities, sets supervisory powers, fines and incident reporting procedures, and integrates the EU CIR by reference.

Authority

RDI, sector regulators, NCSC-NL

The Rijksinspectie Digitale Infrastructuur (RDI) is the lead supervisor for many sectors, including digital infrastructure and most digital service providers. Sector regulators keep their lane (for example DNB for banking, AFM for financial markets, ACM for telecoms). NCSC-NL is the national CSIRT.

Deadlines

EU deadline missed, registration via the Dutch portal

The 17 October 2024 EU deadline passed without Dutch transposition. Once Cbw enters into force, entities must register with the competent authority and report significant incidents within 24 hours (early warning) and 72 hours (full notification), in line with Art. 23 NIS 2.

Two Operating Principles
Two rules that resolve almost every doubt about how Dutch and EU obligations interact.

National law applies where you operate

An entity providing services in the Netherlands is supervised under Dutch law for those activities, even if its head office sits elsewhere. The main establishment rule of Art. 26 NIS 2 decides which member state takes primary supervision, but local activity still triggers reporting where the incident lands.

The directive is the floor, never the ceiling

The Cbw cannot fall below NIS 2. It can be stricter on national specifics (designation procedures, fees, sector lists). For risk management measures and incident reporting, the EU text and CIR set the substance; the Dutch act adds the procedural wrapping.

Authorities and Institutions
Who does what under Dutch NIS 2.
NL

Rijksinspectie Digitale Infrastructuur (RDI)

Lead competent authority for many NIS 2 sectors in the Netherlands, including digital infrastructure, ICT service management, digital providers and several other Annex I and II sectors. Successor to Agentschap Telecom; sits under the Ministry of Economic Affairs.

NL

NCSC-NL (Nationaal Cyber Security Centrum)

National CSIRT under the Ministry of Justice and Security. Receives incident notifications under Art. 23, runs sector advisories, and coordinates with ENISA and other national CSIRTs. The Dutch government has announced a consolidated national cybersecurity service, but NCSC-NL is the operational CSIRT today.

EU

ENISA

Issues EU-level guidance and technical implementation reports. Not a regulator of Dutch entities, but its outputs (such as the Technical Implementation Guidance and crosswalks to ISO 27001) are the practical reference for evidencing Art. 21 measures.

Common Pitfalls
Three mistakes Dutch entities and their foreign parents repeat.
  • Dutch NIS 2 mirrors the German BSIG one to one.

    Both transpose the same directive, but the texts differ. The Netherlands keeps a stronger sector-regulator model and uses RDI as a horizontal supervisor; Germany channels almost everything through BSI. Penalty levels, registration mechanics, and management training duties are written differently. Read Cbw on its own terms, not as a translation of BSIG.

  • There is no Dutch registration obligation yet, so we can wait.

    Art. 27 NIS 2 requires every member state to maintain a register and entities to provide their data. The Netherlands will run a registration channel through the competent authorities once Cbw enters into force. The two-week update rule of Art. 27(2) is EU-wide and binds Dutch entities the moment the law applies.

  • My sector regulator handles everything, RDI is not relevant.

    Sector regulators retain their financial, telecoms or health supervisory lane. RDI is the horizontal cybersecurity supervisor for several sectors and the point of contact for cross-sector cybersecurity questions. For DORA-covered financial entities, DORA acts as lex specialis on cybersecurity, but NIS 2 registration under Art. 27 still applies.

Practitioner View

Most Dutch entities in scope already know they will be in scope. The question is not whether NIS 2 lands, but how the Dutch act will route them. Track two things weekly: the Cbw legislative status in the Tweede Kamer, and any RDI sector communication that anchors timing or scoping.

Operationally, the four constant duties hold today on the EU level: govern security with management accountability (Art. 20), run risk management measures (Art. 21), report significant incidents on the 24 hour and 72 hour clock (Art. 23), and prepare to register (Art. 27). None of those four require the Dutch act to be in force to be useful.

How the Platform Helps

Our register of obligations is anchored to the EU directive and CIR, then layered with national transpositions. Dutch entities can start on the directive layer immediately and switch the national overlay to Cbw once it enters into force, without re-doing the underlying work.

Incident reporting templates align with Art. 23 timing (24h early warning, 72h full notification). Supplier obligations follow Art. 21(2)(d) and CIR §6, which apply identically across member states. The Dutch overlay handles authority routing, language requirements and any national specifics that the Cbw adds.

Sources
  • Directive (EU) 2022/2555 (NIS 2): EUR-Lex, OJ L 333, 27 December 2022
  • Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024
  • Wetsvoorstel Cyberbeveiligingswet (Cbw), consultation and Tweede Kamer documentation, internetconsultatie.nl
  • Wbni: Wet beveiliging netwerk- en informatiesystemen (current law, NIS 1 transposition)
  • Rijksinspectie Digitale Infrastructuur (RDI), rdi.nl, NIS 2 supervisory information
  • NCSC-NL, ncsc.nl, incident notification and CSIRT guidance
  • ENISA, NIS 2 Technical Implementation Guidance (v1.2, 2025)
Run a Dutch applicability check
Five minutes, sector by sector. Returns whether the entity is essential or important under NIS 2 and which obligations land first.