Cybersecurity - Netherlands

The Network and Information Systems Security Act (Wbni) has been in force since 9 November 2018, requiring providers of essential services and digital service providers (cloud, online marketplaces, search engines) to secure their ICT and report serious incidents.

The Cyberbeveiligingswet (Cbw), transposing the EU NIS2 Directive, was approved by the House of Representatives on 15 April 2026 and is now before the Senate; entry into force is targeted for Q2 2026. The Netherlands missed the EU deadline of 17 October 2024.

The Cbw will cover 'essential' and 'important' entities across sectors such as energy, transport, healthcare, drinking/waste water, digital infrastructure, manufacturing, public administration, and certain digital services, widening the population well beyond the current Wbni.

Rather than a single regulator, supervision is spread across sectoral authorities: the Authority for Digital Infrastructure (RDI) for digital infrastructure/managed services and the Human Environment and Transport Inspectorate (ILT) for transport/water, with NCSC-NL acting as national coordinator and CSIRT.

The Wbni already mandates reporting of serious incidents to the NCSC and the sector regulator. Under the incoming Cbw/NIS2, entities must follow a tiered ladder: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.

Entities can already voluntarily register with NCSC-NL, but the mandatory registration obligation only takes effect when the Cbw enters into force; authorities advise organisations not to wait before preparing risk-management and governance measures.