NIS 2 Status in the Netherlands
The Netherlands transposes the EU NIS 2 Directive through the Cyberbeveiligingswet (Cbw). The legislative process ran late, so Dutch entities should track both the EU floor and the Cbw text now in the Tweede Kamer.
Overview
The legal foundation is the EU NIS 2 Directive (2022/2555). It sets the floor for cybersecurity obligations across every member state. The Netherlands writes that floor into national law through the Cyberbeveiligingswet (Cbw), which replaces the older Wbni (Wet beveiliging netwerk- en informatiesystemen) that implemented NIS 1.
The 17 October 2024 EU transposition deadline was missed by the Netherlands and by most member states, including Germany. The Dutch bill went through public consultation in 2024, was submitted to the Tweede Kamer in 2025, and is expected to enter into force during 2026. The Commission opened an infringement procedure against the late member states.
Once Cbw enters into force, obligations apply without a transition window, mirroring how Germany handled BSIG. Two practical anchors hold today: the EU directive itself, and the published Dutch draft. Use both when scoping work.
EU Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2).
Sets risk management obligations (Art. 21), incident reporting (Art. 23), management body accountability (Art. 20), and registration of entities (Art. 27). Member states must transpose into national law but cannot go below the floor.
EU Implementing Regulation
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 (CIR).
Specifies in detail what Art. 21 measures look like for digital infrastructure, DNS, cloud, data centre, content delivery, managed service providers, and online marketplaces. Directly applicable in the Netherlands without further national act.
Dutch Transposition
Cyberbeveiligingswet (Cbw), Dutch government bill currently before parliament; the older Wbni stays in force until Cbw takes effect.
Cbw assigns supervision and CSIRT roles, defines essential and important entities for the Netherlands, and adds national specifics such as fees, designation procedures and sector handovers. Articles cited in this page refer to the published consultation draft and may change before adoption.
Cyberbeveiligingswet (Cbw)
Transposes Articles 1 to 41 of NIS 2 into Dutch law. Defines essential (essentiële) and important (belangrijke) entities, sets supervisory powers, fines and incident reporting procedures, and integrates the EU CIR by reference.
RDI, sector regulators, NCSC-NL
The Rijksinspectie Digitale Infrastructuur (RDI) is the lead supervisor for many sectors, including digital infrastructure and most digital service providers. Sector regulators keep their lane (for example DNB for banking, AFM for financial markets, ACM for telecoms). NCSC-NL is the national CSIRT.
EU deadline missed, registration via the Dutch portal
The 17 October 2024 EU deadline passed without Dutch transposition. Once Cbw enters into force, entities must register with the competent authority and report significant incidents within 24 hours (early warning) and 72 hours (full notification), in line with Art. 23 NIS 2.
National law applies where you operate
An entity providing services in the Netherlands is supervised under Dutch law for those activities, even if its head office sits elsewhere. The main establishment rule of Art. 26 NIS 2 decides which member state takes primary supervision, but local activity still triggers reporting where the incident lands.
The directive is the floor, never the ceiling
The Cbw cannot fall below NIS 2. It can be stricter on national specifics (designation procedures, fees, sector lists). For risk management measures and incident reporting, the EU text and CIR set the substance; the Dutch act adds the procedural wrapping.
Rijksinspectie Digitale Infrastructuur (RDI)
Lead competent authority for many NIS 2 sectors in the Netherlands, including digital infrastructure, ICT service management, digital providers and several other Annex I and II sectors. Successor to Agentschap Telecom; sits under the Ministry of Economic Affairs.
NCSC-NL (Nationaal Cyber Security Centrum)
National CSIRT under the Ministry of Justice and Security. Receives incident notifications under Art. 23, runs sector advisories, and coordinates with ENISA and other national CSIRTs. The Dutch government has announced a consolidated national cybersecurity service, but NCSC-NL is the operational CSIRT today.
ENISA
Issues EU-level guidance and technical implementation reports. Not a regulator of Dutch entities, but its outputs (such as the Technical Implementation Guidance and crosswalks to ISO 27001) are the practical reference for evidencing Art. 21 measures.
Dutch NIS 2 mirrors the German BSIG one to one.
Both transpose the same directive, but the texts differ. The Netherlands keeps a stronger sector-regulator model and uses RDI as a horizontal supervisor; Germany channels almost everything through BSI. Penalty levels, registration mechanics, and management training duties are written differently. Read Cbw on its own terms, not as a translation of BSIG.
There is no Dutch registration obligation yet, so we can wait.
Art. 27 NIS 2 requires every member state to maintain a register and entities to provide their data. The Netherlands will run a registration channel through the competent authorities once Cbw enters into force. The two-week update rule of Art. 27(2) is EU-wide and binds Dutch entities the moment the law applies.
My sector regulator handles everything, RDI is not relevant.
Sector regulators retain their financial, telecoms or health supervisory lane. RDI is the horizontal cybersecurity supervisor for several sectors and the point of contact for cross-sector cybersecurity questions. For DORA-covered financial entities, DORA acts as lex specialis on cybersecurity, but NIS 2 registration under Art. 27 still applies.
Most Dutch entities in scope already know they will be in scope. The question is not whether NIS 2 lands, but how the Dutch act will route them. Track two things weekly: the Cbw legislative status in the Tweede Kamer, and any RDI sector communication that anchors timing or scoping.
Operationally, the four constant duties hold today on the EU level: govern security with management accountability (Art. 20), run risk management measures (Art. 21), report significant incidents on the 24 hour and 72 hour clock (Art. 23), and prepare to register (Art. 27). None of those four require the Dutch act to be in force to be useful.
Our register of obligations is anchored to the EU directive and CIR, then layered with national transpositions. Dutch entities can start on the directive layer immediately and switch the national overlay to Cbw once it enters into force, without re-doing the underlying work.
Incident reporting templates align with Art. 23 timing (24h early warning, 72h full notification). Supplier obligations follow Art. 21(2)(d) and CIR §6, which apply identically across member states. The Dutch overlay handles authority routing, language requirements and any national specifics that the Cbw adds.
- Directive (EU) 2022/2555 (NIS 2): EUR-Lex, OJ L 333, 27 December 2022
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024
- Wetsvoorstel Cyberbeveiligingswet (Cbw), consultation and Tweede Kamer documentation, internetconsultatie.nl
- Wbni: Wet beveiliging netwerk- en informatiesystemen (current law, NIS 1 transposition)
- Rijksinspectie Digitale Infrastructuur (RDI), rdi.nl, NIS 2 supervisory information
- NCSC-NL, ncsc.nl, incident notification and CSIRT guidance
- ENISA, NIS 2 Technical Implementation Guidance (v1.2, 2025)