Cybersecurity ยท Netherlands
Cybersecurity law in Netherlands: NIS2 compliance (2026)
Netherlands shaded by its cybersecurity status
Cybersecurity in Netherlands: comprehensive law, anchored by Wet beveiliging netwerk- en informatiesystemen (Wbni), currently in force (implements EU NIS1); being replaced by the Cyberbeveiligingswet (Cbw, NIS2 implementation), pending in the Senate with entry into force targeted for Q2 2026. Supervision/incident response led by NCSC-NL and sector regulators (RDI, ILT)..
The Netherlands currently has a horizontal cybersecurity statute in force, the Wbni (in effect since 9 November 2018), which obliges essential-service operators and digital service providers to take security measures and report serious incidents. Its NIS2 upgrade, the Cyberbeveiligingswet (Cbw), was approved by the House of Representatives on 15 April 2026 and is awaiting Senate approval, with entry into force expected in Q2 2026. The regime is layered on top of GDPR data-breach duties and EU sectoral rules (e.g. DORA for finance), with NCSC-NL as the central coordination/incident-response body.
NIS2 & cybersecurity law in Netherlands
In Netherlands, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Netherlands implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Netherlands: FAQ
Yes. As an EU member, Netherlands has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The Network and Information Systems Security Act (Wbni) has been in force since 9 November 2018, requiring providers of essential services and digital service providers (cloud, online marketplaces, search engines) to secure their ICT and report serious incidents.
The Cyberbeveiligingswet (Cbw), transposing the EU NIS2 Directive, was approved by the House of Representatives on 15 April 2026 and is now before the Senate; entry into force is targeted for Q2 2026. The Netherlands missed the EU deadline of 17 October 2024.
The Cbw will cover 'essential' and 'important' entities across sectors such as energy, transport, healthcare, drinking/waste water, digital infrastructure, manufacturing, public administration, and certain digital services, widening the population well beyond the current Wbni.
Rather than a single regulator, supervision is spread across sectoral authorities: the Authority for Digital Infrastructure (RDI) for digital infrastructure/managed services and the Human Environment and Transport Inspectorate (ILT) for transport/water, with NCSC-NL acting as national coordinator and CSIRT.
The Wbni already mandates reporting of serious incidents to the NCSC and the sector regulator. Under the incoming Cbw/NIS2, entities must follow a tiered ladder: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.
Entities can already voluntarily register with NCSC-NL, but the mandatory registration obligation only takes effect when the Cbw enters into force; authorities advise organisations not to wait before preparing risk-management and governance measures.
Timeline - major decisions & events
The Tweede Kamer passed the Cybersecurity Act (Cyberbeveiligingswet, Cbw), transposing the EU NIS2 Directive and replacing the 2018 Wbni; the bill was forwarded to the Senate (Eerste Kamer) targeting Q2 2026 entry into force. The law expands mandatory cybersecurity risk-management, incident-reporting, and board-training obligations to approximately 8,000 entities across 18 sectors.
Digitale Overheid (Digital Government NL) โThe National Coordinator for Security and Counterterrorism released the annual threat assessment, warning that digital threats remain diverse and unpredictable and that basic cyber hygiene is the most critical defence measure. The report feeds directly into national risk-management policy and the forthcoming Cbw implementing guidance.
NCTV (National Coordinator for Security and Counterterrorism) โAfter the Netherlands missed the 17 October 2024 NIS2 transposition deadline, the Commission escalated to a reasoned opinion, the second stage of EU infringement proceedings, increasing legal and political pressure on the Netherlands to accelerate parliamentary passage of the Cyberbeveiligingswet.
European Commission โ Digital Strategy โThe Dutch government formally introduced the Cybersecurity Act bill to the House of Representatives, launching the parliamentary review process; the bill would replace the Wbni with a NIS2-aligned framework covering 18 sectors and requiring supply-chain security audits, mandatory board training, and fines up to โฌ10 million.
Digitale Overheid (Digital Government NL) โThe government released a six-year national cybersecurity strategy covering digital resilience, international cyber norms, secure hardware/software, and public-private cooperation; it also announced the merger of the NCSC, Digital Trust Center, and CSIRT-DSP into a single national cybersecurity authority to streamline incident response and guidance.
NCSC-NL โThe most expansive revision of Dutch cybercrime law granted police, with prior judicial authorisation, powers to covertly hack suspects' devices, install investigative software using zero-day exploits, and remotely render data inaccessible; it also criminalised possession of hacking tools and strengthened prosecution of ransomware and DDoS offences.
Government of the Netherlands โThe Wbni transposed the EU NIS Directive into Dutch law, imposing mandatory risk-management and incident-reporting obligations on operators of essential services, designated vital providers, and digital service providers; the NCSC was designated as the national CSIRT and supervisory authorities were assigned per sector.
wetten.overheid.nl (official Dutch legislation portal) โThe government launched its third national cybersecurity strategy with seven ambitions: broad detection/response capabilities, international cyber peace and security, secure hardware and software, resilient digital infrastructure, effective cybercrime barriers, knowledge development, and a structured public-private partnership model that underpinned the Wbni framework.
ENISA (hosting official Dutch NCSA document) โThe NCSC was formally stood up within the Ministry of Justice and Security as the Netherlands' central hub for cyber expertise, national CSIRT, and operational coordination with critical infrastructure; it was created directly in response to the 2011 NCSS and accelerated by the DigiNotar incident.
NCSC-NL โFollowing an undetected June 2011 intrusion in which attackers issued 531+ fraudulent TLS certificates (used to surveil ~300,000 Iranian Gmail users), the Dutch government revoked all DigiNotar root certificates on 29 August 2011, immediately disabling DigiD and vehicle-registration services; DigiNotar filed for bankruptcy in September 2011. The incident exposed critical single-CA dependencies and directly accelerated creation of the NCSC and the first NCSS.
ENISA โ Operation Black Tulip Report โThe Ministry of Security and Justice published the Netherlands' inaugural National Cyber Security Strategy, establishing a whole-of-government framework for cyber defence and calling for creation of the NCSC and a Cyber Security Council with public-private representation; it was one of the earliest national cybersecurity strategies in the EU.
ENISA (hosting official Dutch NCSS I document) โAfter an eight-year parliamentary process, the Netherlands enacted one of Europe's earliest computer crime laws, criminalising unauthorised computer access, data manipulation, and sabotage with penalties up to four years' imprisonment; it established the foundational legal framework on which all subsequent Dutch cybercrime and cybersecurity obligations were built.
Council of Europe โ Octopus Cybercrime Community โNetherlands - other topics
Cybersecurity in other countries
Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ