The Dutch Cybersecurity Act: how NIS2 becomes law in the Netherlands
Adopted 2026-06-16 · ≈ 2 min read · 
edited by Dirk Baaijen
The Cybersecurity Act transposes NIS2 into Dutch law: a duty of care, a reporting duty and management liability. The bill is still pending and is expected to enter into force later than the EU deadline.
Short answer: The Cybersecurity Act (Cyberbeveiligingswet, Cbw) is the Dutch transposition of the European NIS2 directive. The bill is still pending and is expected to enter into force later than the EU deadline of 17 October 2024 — around 1 July 2026 has been mentioned, but that is not a settled fact.
Where the law comes from
The Cybersecurity Act stems from Directive (EU) 2022/2555, better known as NIS2. That directive requires all EU member states to write stricter digital-resilience requirements into national law. The formal transposition deadline was 17 October 2024, but the Netherlands did not meet it.
At the time of writing, the Cbw is still pending. Entry into force is expected later; reporting has mentioned around 1 July 2026. Treat this as an expectation, not a certainty — the definitive date will follow from the legislative process.
What the law asks of you
The Cbw imposes a number of core obligations on organisations:
- Duty of care: you take appropriate technical and organisational measures to protect your network and information systems, based on a risk assessment.
- Reporting duty: you report a significant incident in stages. An initial notification is due within 24 hours, followed by a fuller report within 72 hours.
- Registration duty: organisations within scope must register with the competent authority.
- Management liability: the management body is responsible for compliance and can be held accountable for it.
Supervision rests with sectoral regulators and with the Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, RDI).
Who falls within scope
NIS2 distinguishes between essential and important entities. The distinction mainly determines the intensity of supervision, not the substance of the duty of care. Transport is designated an essential sector — covering road, rail, air and water transport, among others. Many logistics providers therefore fall within scope, depending on their size and activities.
What you can do now
Do not wait for entry into force. Map whether your organisation qualifies as essential or important, carry out a risk assessment, and set up an incident-reporting process that can meet the 24-hour and 72-hour deadlines. Make sure the management body is involved, because that is where the liability sits.
Read more: the Transport & Logistics overview. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Directive (EU) 2022/2555 (NIS2): the European basis. - https://www.digitaltrustcenter.nl/cyberbeveiligingswet
Digital Trust Center — the Dutch Cybersecurity Act (NIS2 transposition).
Read next
Does my ISO 27001 certification cover the NIS2 duty of care?
ISO 27001 covers much of the NIS2 risk-management measures, but is not automatic compliance. Incident reporting, management accountability, supply-chain risk and registration must be addressed separately.
NIS2: what exactly does the 24/72-hour reporting duty involve?
For a significant incident, NIS2 sets tight deadlines: an early warning within 24 hours, a formal notification within 72 hours and a final report within a month — to the national authority/CSIRT. What counts as significant, and how to set yourself up for it.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.