NIS2 in Netherlands
Everything you need to know about the NIS2 directive in Nederland: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
The Netherlands is transposing NIS2 through a new Cyberbeveiligingswet (Cbw), which replaces the existing Wet beveiliging netwerk- en informatiesystemen (Wbni). Implementation has slipped past the EU deadline — entry into force is now expected in Q3 2026 — but the NCSC-NL is already publishing guidance and operational expectations, and the Ministry of Justice and Security (JenV) is leading the process. Dutch organisations are advised to prepare during the transposition gap rather than wait.
Key facts at a glance
Cyberbeveiligingswet (Cbw) — replacing Wet beveiliging netwerk- en informatiesystemen (Wbni)
Adopted / in force: 2026-Q3
Nationaal Cyber Security Centrum (NCSC-NL)
https://www.ncsc.nlUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
Priority sectors for NIS2 in Netherlands
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Netherlands's transposition and NCSC-NL supervision focus most.
Energy and drinking water
Annex I high-criticality operators — Dutch grid operators, energy suppliers and drinking-water utilities — are squarely in scope as essential entities and are the NCSC-NL's first supervisory priority.
Digital infrastructure and logistics
The Netherlands is a European digital and logistics hub: the Port of Rotterdam, Amsterdam's data-centre cluster, cloud providers and major logistics operators fall under digital infrastructure and transport, often at the essential tier.
Manufacturing and chemicals
Dutch industrial and chemical clusters fall under Annex II as important entities once above the size threshold, and face growing supply-chain pressure from in-scope customers.
Key deadlines
2024-10-17
EU transposition deadline — missed by the Netherlands.
2026-Q3
Expected entry into force of the Cyberbeveiligingswet (Cbw).
Is your company in scope? Common Netherlands scenarios
Two worked examples of how NIS2 scoping plays out in Netherlands. Not sure where you land? Run the free NIS2 scope checker.
Transport and logistics is a covered sector and the operator is well above the size thresholds. It should implement risk-management measures and incident processes now, ahead of the Cbw entering into force.
Cloud and digital-infrastructure providers are covered, and as a cloud service provider it may be in scope regardless of size. It should be registration-ready and have NIS2 controls in place before enforcement.
What Netherlands businesses need to know
The Netherlands is transposing NIS2 through a new law called Cyberbeveiligingswet (Cbw), replacing the existing Wbni.
Implementation has been delayed — the Ministry of Justice and Security (JenV) is leading the process.
The NCSC-NL will be the competent authority and receive all incident notifications.
Despite the delay, NCSC-NL is already publishing guidance and operational expectations for in-scope entities.
Dutch organizations should prepare now even though formal enforcement is pending.
How NCSC-NL enforces NIS2 in Netherlands
The NCSC-NL will be the competent authority and receive all incident notifications through its melding portal. Even before the Cyberbeveiligingswet enters into force, the NCSC-NL advises in-scope entities to implement risk-management measures, build incident-response processes and prepare to register. During the transposition gap the directive's principles already apply, and the State itself is bound by direct effect — so preparing now both reduces risk and avoids a scramble once the Dutch law takes effect in Q3 2026.
NIS2 in Netherlands: frequently asked questions
- What is the Cyberbeveiligingswet (Cbw)?
- The Cyberbeveiligingswet is the Dutch NIS2 transposition law, replacing the existing Wbni. It is expected to enter into force in Q3 2026. The NCSC-NL is the competent authority and the point of contact for incident notifications.
- When does NIS2 enter into force in the Netherlands?
- Entry into force of the Cyberbeveiligingswet is expected in Q3 2026 — later than the EU deadline of October 2024. Because of the delay, the NCSC-NL recommends in-scope entities prepare now rather than wait for the formal start date.
- Who is the competent authority (NCSC-NL)?
- The Nationaal Cyber Security Centrum (NCSC-NL) is the competent authority and receives all incident notifications. The Ministry of Justice and Security (JenV) leads the legislative process behind the Cyberbeveiligingswet.
- Should Dutch companies prepare now?
- Yes. The NCSC-NL advises implementing risk-management measures and incident processes before formal enforcement, and the directive's principles apply during the transposition gap. Early preparation also smooths the registration step once the Cbw enters into force.
Official sources
Primary references for NIS2 in Netherlands — verify the latest text and deadlines directly with the authority.