Dutch Cybersecurity Act enters into force 15 August

8 July 2026

On 7 July 2026, the Dutch Senate passed the Cybersecurity Act (Cyberbeveiligingswet, Cbw), which transposes the European NIS2 Cybersecurity Directive. The Cbw will enter into force on 15 August 2026.

The European Union adopted the NIS2 Directive at the end of 2022 in response to increasing digitalisation and the rising number of cyberattacks. This Directive replaces the previous European cybersecurity rules and significantly tightens them. Its aim is to enhance digital resilience in Europe, through measures including extending regulatory scope to additional sectors, imposing stricter security requirements, improving supply chain security, streamlining reporting obligations and strengthening supervision.

Cybersecurity legislation: three-tier regulation

The new cybersecurity legislation consists of three tiers. The first tier is the Cbw itself, which provides the legal framework. The second tier is the Cybersecurity Decree (Cyberbeveiligingsbesluit, Cbb), which elaborates on the obligations under the Cbw, regarding for instance risk management, registration and training obligations for directors. The Cbb applies to all sectors, and its draft versions have been published for consultation. It will enter into force at the same time as the Cbw. The third tier consists of ministerial regulations, adopted by the relevant minister for each sector, which will further specify obligations, for example as regards when cyber incidents must be reported.

Additional legislation, the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten, Wwke), imposes further obligations on organisations providing essential services such as energy, healthcare, transport and banking – see below. The Wwke, which was passed at the same time as the Cbw, aims to strengthen these organisations’ physical resilience against threats such as sabotage, terrorism and natural disasters.

Scope of application

The Cbw applies to organisations in certain sectors, and distinguishes between two categories.

  • The first category covers sectors considered to be highly critical, such as energy, transport, banking, healthcare, drinking water, ICT service management and digital infrastructure.
  • The second category covers other critical sectors, such as postal and courier services, waste management, food production, manufacturing and digital providers.

Not all organisations in these sectors automatically fall within the Cbw’s scope. A minimum threshold applies: an organisation must have at least 50 employees and an annual turnover or balance sheet total exceeding EUR 10 million. Large organisations – with more than 250 employees or an annual turnover exceeding EUR 50 million – are classified as ‘essential entities’ in highly critical sectors and as ‘important entities’ in other critical sectors. Medium-sized organisations – with at least 50 employees or an annual turnover and balance sheet total exceeding EUR 10 million – generally fall within the ‘important entity’ category. This distinction is significant, as essential entities are subject to higher fines and stricter supervision. Essential entities will be supervised proactively, meaning that their compliance can be monitored even if no incidents have occurred. By contrast, important entities will in principle be supervised reactively. This means that supervision takes place retrospectively, for example following an incident or where there is information indicating non-compliance.

There are exceptions to this general rule. Some organisations always fall under the Cbw’s purview, regardless of their size. This applies, for instance, to providers of digital trust services (such as digital signatures), certain internet service providers and public administration entities. Smaller providers of telecoms networks and services can also be subject to the Cbw even if they do not meet the threshold of 50 employees.

In addition, the relevant minister can designate an individual organisation as an essential entity within the minister’s specific area of responsibility, even if that organisation does not automatically fall under the Cbw. This may be the case, for example, if the organisation is the sole provider of an essential service, if a disruption to its services could have a severe impact on public safety or public health, or if the organisation is of major importance for other reasons. The Minister of Education, Culture and Science has announced that all higher education institutions will be designated as important entities. Finally, certain organisations are specifically exempt from the Cbw, such as the Ministry of Defence, the intelligence and security services, the Public Prosecution Service and the police.

Core obligations

The CSA imposes three core obligations on essential and important entities:

  • Registration obligation: organisations must register themselves in a national register. In the Netherlands, this is the register of entities of the National Cyber Security Centre (NCSC).
  • Duty of care: organisations must identify the risks to their digital systems and take appropriate measures to manage those risks. This applies not only to the digital environment, but also to the physical environment in which the systems are located. Appropriate measures could include policies on risk analysis and information security, business continuity measures (such as backups and disaster recovery plans) and supply chain
  • Reporting obligation: organisations are required to report significant cyber incidents to the NCSC and the regulator in their sector. An incident is considered significant if: it causes or is capable of causing severe operational disruption of the services or financial loss; or it affects or is capable of affecting other persons or organisations by causing considerable material or non-material damage. There is a phased reporting obligation from the moment an organisation becomes aware of the incident. First, within 24 hours they must issue an early warning to their computer security incident response team (CSIRT) and the relevant sector regulator. They must then make an initial notification within 72 hours.

Their final report must then be submitted no later than one month afterwards, addressing the following topics in any event: a detailed description of the incident, including its severity and impact; the type of threat or root cause likely to have triggered the incident; applied and ongoing risk mitigation measures; and where applicable, the cross-border impact of the incident.

Directors’ obligations

Directors of essential and important entities bear ultimate responsibility for compliance with the duty of care under the Cbw. They must maintain sufficient knowledge and skills to identify cyber risks and assess appropriate measures, and may be held liable if the organisation fails to fulfil its statutory duty of care. In addition, directors are required to follow cybersecurity training and must be able to provide documentary proof of their participation in this. According to the draft Cbb, the training courses must, at the very least, cover types of risk for network and information systems, risk management processes and risk assessment methodologies.

Banning of certain products and services from suppliers

The Cbw grants the relevant minister, within their own area of responsibility, the power to require essential and important entities to cease using certain products or services from specific suppliers. The minister can only do so after consulting with the Minister of Justice and Security. This power can be executed where necessary to manage or prevent risks to national security. The minister can also set a deadline by which the entity must replace existing products and services or cease using them. This power, added to the Cbw by way of amendment, goes beyond the requirements of the NIS2 Directive.

Supervision and enforcement

Eesponsibility for monitoring compliance is shared among various regulators. These include the Human Environment and Transport Inspectorate (ILT), the Dutch Central Bank (DNB), the Dutch Authority for the Financial Markets (AFM), the Health and Youth Care Inspectorate (IGJ), the Netherlands Food and Consumer Product Safety Authority (NVWA) and the Dutch Authority for Digital Infrastructure (RDI).

Which regulator is responsible depends on the sector or subsector in which an entity operates. For example, DNB has been designated as regulator for the banking sector, the IGJ as regulator for the healthcare sector, and the NVWA as regulator for the food industry.

These regulators can use various enforcement measures to ensure compliance with the Cbw. They can, for instance, carry out or arrange for security scans and audits at important entities, appoint compliance officers at essential entities and request the suspension of board members’ certification or authorisation. Special powers in this regard include mandatory security scans and audits. In the event of infringements, the competent authorities can take measures such as issuing binding instructions and imposing administrative fines. The maximum fines for essential entities are EUR 10 million or 2% of global annual turnover (whichever is higher), and for important entities EUR 7 million or 1.4% of global annual turnover (whichever is higher).

Next steps

The Cbw has now been passed by the Dutch Senate and will enter into force on 15 August 2026. There is no general transition period; once the law takes effect, the obligations will apply immediately. Higher education institutions are an exception: they will be granted a three-year transition period.

Companies would be well advised to check straightaway whether the Cbw applies to them and, if so, to start implementing the statutory requirements in good time.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.