12 March 2026 Update - The transposition of NIS 2 in the Netherlands
The Kingdom of the Netherlands has not yet completed the formal transposition of Directive (EU) 2022/2555 (NIS 2) into national law.
Although the legislative process has progressed and a comprehensive implementation bill has been introduced, the directive has not yet been fully incorporated into the Dutch legal framework through enacted legislation. Consequently, the Netherlands remains in a legislative transition phase, where the existing cybersecurity regime continues to apply while the NIS 2 implementation law is still undergoing parliamentary examination.
Prior to NIS 2, the Netherlands implemented the earlier NIS Directive (Directive 2016/1148) through the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen – Wbni). This law established cybersecurity obligations for operators of essential services and digital service providers and created mechanisms for incident reporting and national cybersecurity coordination.
Under the Wbni framework, cybersecurity supervision and incident response are coordinated by several authorities. The National Cyber Security Centre (NCSC-NL) plays a central role in national cybersecurity coordination and incident response, while sector-specific regulators supervise compliance in the sectors falling under their jurisdiction.
Although the Wbni provided an established legal framework for cybersecurity governance, it was based on the more limited regulatory architecture of the original NIS Directive and therefore required significant amendments to align with the broader scope and governance requirements introduced by NIS 2.
Under Article 41 of the NIS 2 Directive, Member States were required to adopt national implementing legislation by 17 October 2024. The Netherlands did not meet this deadline.
As a result, the European Commission initiated infringement proceedings against several Member States that had not notified complete transposition measures. On 7 May 2025, the Commission issued a reasoned opinion to the Netherlands for failure to notify full transposition of the directive.
The Dutch government has prepared a comprehensive legislative reform known as the Cybersecurity Act (Cyberbeveiligingswet – Cbw). This draft law is intended to transpose the NIS 2 Directive into Dutch law and replace the existing Wbni framework.
The draft Cybersecurity Act was submitted to the Dutch House of Representatives (Tweede Kamer) on 2 July 2024 and is currently progressing through the national legislative procedure.
The bill introduces a significantly expanded cybersecurity regulatory framework aligned with the NIS 2 Directive. It extends the scope of regulated sectors and introduces the classification of essential entities and important entities, which must comply with enhanced cybersecurity risk-management obligations and incident-reporting requirements.
The proposed Cybersecurity Act will significantly increase the number of organisations subject to cybersecurity regulation in the Netherlands. Under the earlier Wbni framework, only a limited number of operators of essential services were regulated. Under the NIS 2 regime, the number of regulated entities is expected to increase to several thousand organisations across sectors such as energy, transport, healthcare, digital infrastructure, public administration, and manufacturing.
Current government planning indicates that the Cybersecurity Act is expected to enter into force during 2026, although the exact date will depend on the completion of the parliamentary process and the adoption of implementing regulations.
EU - Transposition, Member States