Cybersecurity regulation in Netherlands (2026)

The Tweede Kamer passed the Cybersecurity Act (Cyberbeveiligingswet, Cbw), transposing the EU NIS2 Directive and replacing the 2018 Wbni; the bill was forwarded to the Senate (Eerste Kamer) targeting Q2 2026 entry into force. The law expands mandatory cybersecurity risk-management, incident-reporting, and board-training obligations to approximately 8,000 entities across 18 sectors.

The National Coordinator for Security and Counterterrorism released the annual threat assessment, warning that digital threats remain diverse and unpredictable and that basic cyber hygiene is the most critical defence measure. The report feeds directly into national risk-management policy and the forthcoming Cbw implementing guidance.

After the Netherlands missed the 17 October 2024 NIS2 transposition deadline, the Commission escalated to a reasoned opinion — the second stage of EU infringement proceedings — increasing legal and political pressure on the Netherlands to accelerate parliamentary passage of the Cyberbeveiligingswet.

The Dutch government formally introduced the Cybersecurity Act bill to the House of Representatives, launching the parliamentary review process; the bill would replace the Wbni with a NIS2-aligned framework covering 18 sectors and requiring supply-chain security audits, mandatory board training, and fines up to €10 million.

The government released a six-year national cybersecurity strategy covering digital resilience, international cyber norms, secure hardware/software, and public–private cooperation; it also announced the merger of the NCSC, Digital Trust Center, and CSIRT-DSP into a single national cybersecurity authority to streamline incident response and guidance.

The most expansive revision of Dutch cybercrime law granted police — with prior judicial authorisation — powers to covertly hack suspects' devices, install investigative software using zero-day exploits, and remotely render data inaccessible; it also criminalised possession of hacking tools and strengthened prosecution of ransomware and DDoS offences.

The Wbni transposed the EU NIS Directive into Dutch law, imposing mandatory risk-management and incident-reporting obligations on operators of essential services, designated vital providers, and digital service providers; the NCSC was designated as the national CSIRT and supervisory authorities were assigned per sector.

The government launched its third national cybersecurity strategy with seven ambitions: broad detection/response capabilities, international cyber peace and security, secure hardware and software, resilient digital infrastructure, effective cybercrime barriers, knowledge development, and a structured public–private partnership model that underpinned the Wbni framework.

The NCSC was formally stood up within the Ministry of Justice and Security as the Netherlands' central hub for cyber expertise, national CSIRT, and operational coordination with critical infrastructure; it was created directly in response to the 2011 NCSS and accelerated by the DigiNotar incident.

Following an undetected June 2011 intrusion in which attackers issued 531+ fraudulent TLS certificates (used to surveil ~300,000 Iranian Gmail users), the Dutch government revoked all DigiNotar root certificates on 29 August 2011, immediately disabling DigiD and vehicle-registration services; DigiNotar filed for bankruptcy in September 2011. The incident exposed critical single-CA dependencies and directly accelerated creation of the NCSC and the first NCSS.

The Ministry of Security and Justice published the Netherlands' inaugural National Cyber Security Strategy, establishing a whole-of-government framework for cyber defence and calling for creation of the NCSC and a Cyber Security Council with public–private representation; it was one of the earliest national cybersecurity strategies in the EU.

After an eight-year parliamentary process, the Netherlands enacted one of Europe's earliest computer crime laws, criminalising unauthorised computer access, data manipulation, and sabotage with penalties up to four years' imprisonment; it established the foundational legal framework on which all subsequent Dutch cybercrime and cybersecurity obligations were built.