NIS2 Netherlands: Directive, Legislation and Certification

NIS2 Netherlands

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope in order to increase the resilience of critical infrastructures against cyber attacks.

The Netherlands did not meet the deadline of 17 October 2024 for transposing the NIS2 Directive into national law. However, the draft bill, hereinafter referred to as the Cybersecurity Act, is available. According to the letter from the Minister of Justice and Security dated 16 June 2025 to the President of the House of Representatives of the States General, the Cybersecurity Act will enter into force in the second quarter of 2026.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

The content of this page is subject to change and will be updated as necessary.

NIS2 entities

Scope of the Dutch Cybersecurity Act

The Dutch Cybersecurity Act is relevant for both legal entities and natural persons (collectively referred to as ‘entities’) that are registered in the Netherlands and that supply products and/or services in an EU country. The Cybersecurity Act explicitly specifies which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services offered, the size of the entity and the location of the entity. In principle, your entity falls under the Dutch Cybersecurity Act if:
  • Your organisation provides services within a sector listed in Annex I and Annex II of the Cybersecurity Act;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in the Netherlands.

Criteria 1: services provided

Annexes I and II of the Cybersecurity Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse the services you provide to third parties per (sub)sector. The sectors listed in the Dutch Cybersecurity Act correspond to the European NIS2 Directive.

Annex I: Highly critical sectors

Annex II: Other critical sectors
Energy • Electricity • District heating and cooling • Oil • Gas • Hydrogen Postal and courier services
Transport • Air • Rail • Water • Road Waste management
Banking Manufacture, production and distribution of chemicals
Financial market infrastructures Production, processing and distribution of foodstuffs
Health Manufacturing • Medical devices and in vitro diagnostic medical devices • Computer, electronic and optical products • Electrical equipment • Machinery and equipment n.e.c. • Motor vehicles, trailers and semi-trailers • Other transport equipment
Drinking water Digital providers
Waste water Research
Digital infrastructure
ICT service management (business-to-business)
Space
If your organisation provides a service from the above overview, your organisation may fall within the scope of the Cyber Security Act.

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Cybersecurity Act. Click here to determine whether your organisation is a small, medium-sized or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations of the Cybersecurity Act. In addition, the Act also applies to the following specific providers, regardless of the size of the entity. The following entities are considered essential by law:
  • Providers of public electronic communications networks or of publicly available electronic communications services
  • Trust service providers
  • Providers of top-level domain name registries (TLD registries)
  • DNS service providers
Furthermore, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:
  • They provide services that are essential to critical societal or economic functions and that are not provided by other providers
  • A disruption of their services would have a significant impact on public order, security or public health
  • An incident at their premises could cause systemic risks with cross-border consequences
  • They are of strategic or vital importance at national or regional level, for example due to dependencies in other sectors

Criteria 3: established entity in the Netherlands

In principle, the Cybersecurity Act can only apply to entities with an establishment in the Netherlands. However, by way of exception, the following entities are subject to the Dutch Cybersecurity Act:
  • Providers of public electronic communications networks or providers of public electronic communications services offering their services in the Netherlands;
  • DNS service providers, registries for top-level domain names, entities that provide domain name registration services, providers of cloud computing services, providers of data centre services, providers of content delivery networks, providers of managed services, providers of managed security services, as well as providers of online marketplaces, providers of online search engines and providers of social networking service platforms, if they have their main establishment in the Netherlands or if they have their legal representative for the EU in the Netherlands in the event that they do not have an establishment within the EU;
  • Public administration entity established by the Netherlands.
In addition to the three criteria above, when analysing the scope of the Cybersecurity Act, it should be taken into account that a non-NIS2 organisation may still be affected by the Cybersecurity Act if the national authority designates the entity as an essential or important entity or if the non–NIS2 organisation belongs to the supply chain of a NIS2 organisation. To determine whether the NIS2 Directive applies to your organisation, you can use the self-assessment tool.

What does this mean for my company?

1. Registration

In the Netherlands, organisations that fall under the Cyber Security Act, as essential or important entities, will have to register themselves in the entity register. The NIS2 Directive has not yet been fully transposed into national legislation, but essential and important entities can already register with the National Cyber Security Centre (NCSC) by logging in at www.mijn.ncsc.nl. The registration requirement will only apply from the entry into force of the Cybersecurity Act, which is expected to be in the second quarter of 2026.

The following information must be provided by the entity via the online registration platform:

  • Name of the organisation
  • Address and current contact details of the entity, including email addresses and telephone numbers
  • IP address ranges
  • Sector and sub-sector
  • Overview of EU Member States where services falling within the scope of the Cybersecurity Act are provided

Changes to this information must be reported within two weeks of the change.

More information about the registration requirement can be found here.

2. Management measures (Art. 23)

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. The Digital Trust Centre (DTC), which will strengthen the NCSC from 2026, indicates that the following NIS2 companies must take at least the following duty of care measures:

  • Risk analysis and security of information systems
  • Incident management
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of cyber security risk management measures
  • Cyber hygiene and cybersecurity training
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects relating to personnel, access policies and asset management
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the entity, where applicable.

More information about the duty of care measures can be found here.

In Implementing Regulation 2024/2690, the European Commission has elaborated the above minimum measures for cybersecurity for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers.

3. Reporting obligation for significant incidents (Articles 27-34)

Essential and important entities are required to notify the relevant sectoral Computer Security Incident Response Team (CSIRT) and the competent authority when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services relating to the (sub)sectors listed in Annexes I and II.

An incident is significant if it

    • causes or could cause a serious operational disruption of services or financial losses for the entity concerned; or
    • has affected or may affect other entities by causing significant material or immaterial damage.

The significant incident is reported by the essential or important entity via the online form or via www.mijn.ncsc.nl. Given that the Cybersecurity Act is not yet in force, only voluntary incident reports can be submitted. The reporting of an incident follows the procedure below:

  1. Immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, reporting the suspected cause, any cross-border consequences and the contact details of the responsible officer;
  2. Immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing, where applicable, an information update, an initial assessment of the incident, indicators of compromise and all available information to determine the cross-border impact of the incident. Trust service providers are required to submit an incident report within 24 hours.
  3. At request, the entity shall submit an interim report.
  4. No later than one month after the incident report, the entity shall submit a final report stating:
    • A detailed description of the incident, as well as its severity and consequences;
    • The type of threat or root cause that likely led to the incident;
    • Applied and ongoing risk mitigation measures;
    • The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report must be submitted  within one month of the incident being resolved.

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers. These special rules take precedence over national rules in the event of any conflicts.

Finally, all entities, regardless of whether they fall within the scope of the Cybersecurity Act, can voluntarily report (significant) incidents, cyber threats and near misses to the CSIRT.

More information on reporting significant cyber incidents can be found here.

4. Obligations and responsibilities of management (Art. 26)

The governing bodies of essential and important entities are responsible for compliance with the Cybersecurity Act and must fulfil various obligations, including:

  • Approving cyber security management measures and monitoring compliance with them.
  • Undertaking training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services.
  • Providing cybersecurity training to the entity’s employees.

The administrative bodies are liable for non-compliance with the Cybersecurity Act.

5. Cooperation with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information about the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

4. How can I demonstrate that my company complies with NIS2 legislation?

The competent authorities carry out inspections at essential and important entities to check compliance with the Cybersecurity Act. In addition, the Cybersecurity Act states that essential entities may be required to have an independent security audit carried out periodically or on an ad hoc basis. This underlines the importance of demonstrable compliance.

The Cybersecurity Act does not prescribe specific standards, but explicitly refers to the use of European and international standards. An important example of this is ISO/IEC 27001. ISO/IEC 27001 is the globally recognised standard for information security and describes the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

In order to obtain ISO 27001 certification, the following steps must be taken:

  1. Acquire the necessary knowledge about ISO/IEC 27001, for example through training;
  2. Implement the ISO 27001 management system in accordance with the standard requirements in your organisation;
  3. Conduct internal audits;
  4. Have management assess the results of the internal audit and take corrective measures if necessary. Record the conclusion regarding compliance with the requirements in the management review;
  5. Contact an accredited CAB to carry out an external audit.

If you would like more information about certification, you can make an appointment with an expert here.

A practical tool for demonstrating NIS2 compliance is the Cbw (NIS2) Control Framework, developed by the Auditdienst Rijk (ADR) and the Ministry of the Interior in collaboration with the professional organisation of IT auditors in the Netherlands (NOREA). This framework offers a structured approach to assessing the extent to which your organisation complies with the Cybersecurity Act and the underlying Cybersecurity Decree. The framework contains concrete management measures, which are largely in line with the principles of ISO/IEC 27001, a step-by-step plan and maturity levels, and can be used as an internal evaluation tool or as a basis for audits.

Enforcement and sanctions (Art. 68 et seq.)

The competent authority carries out inspections to verify compliance with the requirements by NIS2 entities. A distinction must be made between essential and important entities:

  • Essential entities are checked both proactively (ex-ante) and reactively (ex-post) and are required to have regular conformity assessments carried out.
  • Important entities are, in principle, only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Dutch Cybersecurity Act provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and seriousness of the violation and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, requiring the entity to take certain measures, suspending a certification or licence, suspending members of the board, and so on.

Administrative fines that may be imposed are also laid down by law and can amount to €10,000,000 or 2% of the total worldwide annual turnover of the essential entity and up to €7,000,000 or 1.4% of the total worldwide annual turnover of the important entity. These fines apply to breaches of the duty of care (Art. 23) and the reporting obligation (Art. 27-32). For other infringements, an administrative fine of up to €1,000,000 may be imposed on the essential or important entity.

Timeline

  • 17 October 2024: initial deadline for EU Member States to transpose the NIS2 Directive into national law
  • Within two years of entry into force: members of the management of the essential and important entity must have completed cybersecurity training.

Important deadlines for cybersecurity entities will be added as soon as more information becomes available.

Competent authorities (Art. 16)

Although the NIS2 Directive has not yet been fully transposed into national law in the Netherlands, there is already clarity about which authorities will be responsible for its implementation and enforcement. These competent authorities play a crucial role in policy, supervision, incident response and international coordination.

The Ministry of Justice and Security is responsible for ensuring security and law and order in the Netherlands and plays a central role in the implementation of the NIS2 Directive. The ministry translates European obligations into national legislation through the Cyber Security Act and coordinates the implementation of this Act in collaboration with other ministries and supervisory authorities. In doing so, it designates competent authorities to supervise compliance with the rules within their sector and ensures effective cooperation and information exchange with the European Commission and other Member States.

The Ministry of Justice and Security operates the National Cyber Security Centre (NCSC), the Dutch government’s knowledge and expertise centre in the field of cybersecurity. The NCSC plays an important role in the implementation of the NIS2 Directive. It acts as a central reporting point for significant incidents and coordinates the response to limit damage and accelerate recovery. In addition, it supports organisations covered by the Cyber Security Act with advice, threat information and practical guidelines to increase their digital resilience. The centre works closely with sectoral CSIRTs and international partners to ensure information exchange and joint incident handling. Finally, the NCSC manages the national entity register for NIS2.

From 2026, the NCSC and the Digital Trust Centre (DTC), part of the Ministry of Economic Affairs, will join forces. Within the framework of NIS2, the DTC supports companies that do not belong to the vital sectors with practical information, advice and tools to limit cyber risks. Among other things, the centre offers a self-assessment tool that organisations can use to determine whether they fall under the Cybersecurity Act and provides guidelines for taking due diligence measures. In addition, the DTC acts as a knowledge platform and encourages cooperation between companies to jointly strengthen digital security.

The referral tree provides an overview of the various authorities that NIS2 organisations can contact with questions, reports or incidents.