On 15 April 2026 the Dutch Parliament (Tweede Kamer) approved the draft Cyberbeveiligingswet (Cbw) — the Cybersecurity Act — which transposes the EU NIS2 Directive into Dutch law. The wetsvoorstel was submitted to the House of Representatives on 4 June 2025 and the government targets entry into force on 1 July 2026, subject to subsequent approval by the Senate (Eerste Kamer). The Netherlands missed the Directive's 17 October 2024 transposition deadline by approximately 21 months and was one of the 19 Member States that received a Commission reasoned opinion on 7 May 2025 for failure to notify full transposition. The Cbw closes that gap and establishes the operational framework that Dutch essential and important entities will work under.
What is the legislative structure?
The transposition is built from three documents that must read together to understand the obligations. The Cyberbeveiligingswet itself (the Cbw) is the primary statute. It establishes scope, classification, supervisory authorities, and the framework of obligations. The Cyberbeveiligingsbesluit (Cbb) is a Royal Decree elaborating on duty of care, registration requirements, and director training. Ministerial regulations per sector provide further specification of how the Cbb's obligations apply in specific industries — energy, transport, finance, health, water, digital infrastructure, and others. The layered approach mirrors the existing Dutch legislative architecture for sectoral cybersecurity and allows the operational detail to evolve without amendment of the primary statute.
Who is in scope?
The Cbw transposes the size and sector thresholds from Article 2 of NIS2. Entities with 50 or more employees or annual turnover above €10 million in the eleven sectors of high criticality (Annex I to NIS2) are classified as essential entities. The same threshold in the seven other critical sectors (Annex II) gives important entity status. Sector-specific exceptions apply — for example, DNS service providers, top-level domain name registries, and qualified trust service providers are in scope regardless of size. The Dutch transposition adds a notable element: certain entities in the public administration sector that meet the size threshold are classified as essential, bringing parts of central and local government into the regime alongside private operators.
Who are the competent authorities?
The Cbw assigns supervision to multiple competent authorities depending on entity sector and classification. The Dutch government published the operational map alongside the parliamentary debate:
# Cbw competent authority structure (April 2026 draft)
Nationaal Cyber Security Centrum (NCSC)
-> Designated as CSIRT for essential entities
-> Coordinator for incident response
Rijksinspectie Digitale Infrastructuur (RDI)
-> Supervisor for digital infrastructure entities
-> Supervisor for ICT service management
Agentschap Telecom (now part of RDI)
-> Trust service providers
Nederlandse Bank (DNB), Autoriteit Financiele Markten (AFM)
-> Financial sector entities (alongside DORA supervision)
Inspectie Leefomgeving en Transport (ILT)
-> Transport sector entities
Autoriteit Persoonsgegevens (AP)
-> Where personal data implications arise (separate from cybersecurity supervision)
Sector-specific inspectorates
-> Energy (ACM), health (IGJ), water boards, etc.
The multi-authority model reflects the complex Dutch regulatory landscape and aims to leverage existing sectoral expertise rather than create a single new cybersecurity regulator.
What obligations apply?
The Cbw imposes the standard NIS2 obligation set. Article 21 of NIS2 (covering ten technical and organisational measures) is implemented through Cbw provisions on risk analysis, incident handling, business continuity, supply chain security, secure development and acquisition, cyber hygiene and training, cryptography, access control, MFA, and asset management. The 24-hour early warning, 72-hour incident notification, and one-month final report cadence under NIS2 Article 23 is replicated in the Cbw, with NCSC operating as the reporting endpoint for essential entities and sector-specific endpoints handling certain other entity categories. Management body responsibility under NIS2 Article 20 is implemented through Cbw provisions that mandate director training and impose personal liability for gross negligence in compliance failures.
What are the penalties?
The Cbw aligns penalties to NIS2 Article 34. For essential entities, administrative fines reach up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is €7 million or 1.4%. The Cbw additionally provides for periodic penalty payments (last onder dwangsom) where corrective orders are not complied with — a Dutch administrative law mechanism that allows the supervisor to impose escalating daily fines until compliance is achieved. Periodic penalty payments are operationally significant because they can exceed the headline maximum fine over time and create a stronger incentive for prompt remediation than a one-off ceiling.
What about supply chain obligations?
Cbw Article 24 implements NIS2 Article 21(2)(d) on supply chain security. Essential and important entities must assess the cybersecurity of direct suppliers and service providers, taking into account the specific vulnerabilities of each supplier, the overall quality of products and cybersecurity practices, and the results of EU coordinated risk assessments under NIS2 Article 22. The Dutch implementation explicitly references the Toelichting (explanatory memorandum) to align expectations with the NCSC's existing supply chain guidance, including the Inkoopeisen Cybersecurity Overheid (ICO) standards used in Dutch government procurement. Essential entities are expected to retain documented evidence of supplier security assessments at contract execution and on a recurring cycle aligned to risk.
How does the Senate stage work?
Approval by the Tweede Kamer on 15 April 2026 is the lower-house stage. The Eerste Kamer (Senate) must subsequently approve the law. The Senate's role under Dutch constitutional practice is largely review of constitutionality and consistency rather than substantive policy adjustment — the Senate cannot amend the text and votes only on accept-or-reject. For a law with cross-party support like the Cbw, Senate approval is generally expected within several months of lower-house passage. The government target of 1 July 2026 for entry into force is achievable if the Senate timetable accommodates the proposed schedule; published Senate calendar indicates the vote is likely in late May or June 2026.
What about the registration obligation?
Cbw imposes a registration obligation on essential and important entities, transposing NIS2 Article 27. Entities must register through a designated platform (operated by RDI for most categories, with sector-specific exceptions) within a defined window after the law enters into force. The registration includes entity identification, sector and classification, primary establishment, contact persons, and an initial set of cybersecurity posture indicators. Failure to register, or registration with incorrect information, attracts dedicated administrative sanctions — broadly aligned to the Italian and German transpositions but with specific Dutch procedural elements such as the periodic penalty payment mechanism.
What should Dutch entities do now?
Three immediate steps. First, confirm classification under the Cbw — essential or important — by reference to the sector list and the size test. Second, gap-assess existing security posture against the ten Cbw Article 24 technical and organisational measures, identifying the controls that require uplift before 1 July 2026 (or whatever final entry-into-force date is fixed). Third, prepare the registration evidence pack and the incident reporting playbook for NCSC submission. Multi-jurisdictional entities should additionally align Dutch obligations to corresponding requirements in other Member States — German NIS2UmsuCG, Italian Decree 138/2024, French Resilience Bill — through a single internal control framework to avoid duplicate work.
How Safeguard Helps
Safeguard maintains the evidence pack Dutch essential and important entities will need from 1 July 2026: software inventory with SBOM, vulnerability findings with reachability validation, supplier risk scoring aligned to the Article 24 supply chain obligation, and incident workflow that aligns to the NCSC 24/72-hour/one-month cadence. The platform records the technical and organisational measures of Cbw Article 24 with versioned evidence so that an RDI inspection can be answered from a structured source rather than reconstructed from disparate systems. For Dutch entities operating cross-border, Safeguard maps a single control framework onto Cbw, German BSI Act, Italian Decree 138/2024, and French Resilience Bill obligations, so compliance investment scales across the EU regulatory perimeter rather than per Member State.