NIS2 becomes Dutch law

The Dutch lower house approved the Cyberbeveiligingswet on April 15, moving the Netherlands much closer to putting the European Union’s NIS2 cybersecurity rules into force. (rijksoverheid.nl) The bill sends NIS2 into Dutch law and replaces the current Wet beveiliging netwerk- en informatiesystemen, or Wbni, once it takes effect. The government says covered organizations will then face a duty of care, incident-reporting duties and a registration duty. (rijksoverheid.nl) The National Cyber Security Centre said the law will expand its remit to more than about 8,000 organizations in the Netherlands. The bill now goes to the Senate, and the current planning still points to entry into force in the second quarter of 2026. (ncsc.nl) NIS2 is the European Union’s rewrite of its 2016 cybersecurity rules. It pushes more sectors to manage cyber risk in a formal way and to report serious incidents on a fixed timetable. (digital-strategy.ec.europa.eu) Under the directive, in-scope entities must have policies for risk analysis, incident handling, backups and crisis management, and supply-chain security for direct suppliers and service providers. They must also send an early warning within 24 hours of becoming aware of a significant incident and a fuller incident notification within 72 hours. (eur-lex.europa.eu) The governance piece reaches the boardroom. NIS2 says management bodies must approve cybersecurity risk measures, oversee their implementation and follow training so they can assess cyber risk. (eur-lex.europa.eu) The Dutch government has been telling organizations not to wait for the formal start date. Its Digital Government portal says the bill was filed with the lower house on June 4, 2025, and that the implementing decree will spell out details including the duty of care, registration duty and training duty for directors. (digitaleoverheid.nl) The Netherlands missed the European Union’s October 17, 2024 transposition deadline by roughly 18 months. Computable reported this week that the Justice Ministry had previously blamed the delay on the law’s complexity and said it expected the measure to take effect before July 1, 2026, if the Senate clears it. (computable.nl) Lawmakers also passed the companion bill for the Critical Entities Resilience Directive on the same day. Computable reported that the lower house backed a motion from Barbara Kathmann of GroenLinks-PvdA and Laurens Dassen of Volt calling for one central reporting desk, to avoid a patchwork of separate portals. (computable.nl) So the Dutch vote did not just add another compliance deadline. It set up a legal regime in which thousands of organizations will have to show, in writing and at board level, how they assess cyber risk, handle incidents and watch their suppliers. (ncsc.nl)