NIS2 in Netherlands

1. Quick SME Applicability Snapshot in Netherlands

Does NIS2 apply to SMEs in Netherlands?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in the Netherlands and, in certain cases, foreign digital providers serving the Dutch market.

SMEs should assess qualification under the Netherlands' national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Netherlands

The Netherlands is transposing NIS2 through the Cyberbeveiligingswet (Cbw) (Cybersecurity Act), a new statute that will replace and supersede the existing Wbni (Wet beveiliging netwerk- en informatiesystemen). The Cbw was submitted to the Tweede Kamer on 4 June 2025 and, as of April 2026, has not yet been enacted. Entry into force is currently expected in Q2 2026, with some provisions potentially phased.

The Netherlands missed the 17 October 2024 transposition deadline and received an EC reasoned opinion in May 2025. The Cbw introduces several structurally significant features: sector-specific competent authorities are designated through ministerial regulations, with each ministry responsible for sectors within its policy area — creating a multi-regulator supervisory model rather than a centralized one; incident reporting creates a dual obligation to both the NCSC (as national CSIRT) and the relevant sector competent authority; and management bodies face a mandatory cybersecurity training obligation.

Voluntary registration with the NCSC via mijn.ncsc.nl has been possible since 17 October 2024; mandatory registration will apply from the Cbw's entry into force. The existing Wbni continues to apply in the interim.

3. Scope of Application in Netherlands

The Netherlands' scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Netherlands

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Dutch authorities retain formal designation powers where systemic risk justifies inclusion. The relevant sector minister may designate a small or micro enterprise if its services are of vital importance to the Dutch economy or society; affected entities will be notified directly.

5. Entity Classification Framework in Netherlands

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

The Netherlands follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Netherlands

The Netherlands' national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Netherlands risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Dutch cybersecurity guidance is encouraged.

7. Management Liability and Governance in Netherlands

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under the Netherlands' framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Netherlands expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Netherlands

9. Supervisory Authorities and Enforcement Model in Netherlands

There is no single primary authority. Under the Cyberbeveiligingswet (Cbw), supervision and enforcement are carried out by sector-specific competent authorities, designated through ministerial regulations — each ministry is responsible for the sectors within its policy area. Examples include the RDI (Rijksinspectie Digitale Infrastructuur) for digital infrastructure and ICT service management, and the ILT (Inspectorate for the Environment and Transport) for transport. The NCSC serves as the national CSIRT, coordinating incident response and information sharing, but is not itself the primary enforcement authority.

The Netherlands operates a multi-regulator supervisory model: sector-specific competent authorities — designated per sector through ministerial regulation — carry out supervision and enforcement. The NCSC coordinates nationally as CSIRT and provides guidance, but enforcement powers vest in the sector regulators. Specialist CSIRTs (e.g., Z-CERT for healthcare) may supplement the NCSC in specific sectors.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The proposed enforcement structure aligns with Directive-level cooperation requirements. These supervisory and enforcement powers are not yet legally operative pending enactment of the Cbw; the Wbni framework continues to apply in the interim.

10. NIS2 Fines and Sanctions in Netherlands

The Netherlands applies Directive-aligned administrative penalties.

NIS2 fines Netherlands enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Dutch legislation.

11. NIS2 Supply Chain and Vendor Security in Netherlands

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

The Netherlands' approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Netherlands

Entities within scope must:

• Register with competent authorities — entities can self-register via the NCSC's mijn.ncsc.nl portal; voluntary since 17 October 2024 and mandatory upon entry into force of the Cbw (expected Q2 2026)
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts — changes to registered information must be reported within two weeks

There are currently no mandatory NIS2 obligations in force in the Netherlands; the Cbw has not yet been enacted. Voluntary registration with the NCSC via mijn.ncsc.nl is encouraged, and the RDI provides a NIS2 self-assessment tool to help entities determine their likely classification.

Self-identification will be mandatory once the Cbw enters into force. Entities should assess their scope now using the RDI self-assessment tool and prepare to register with the NCSC.

13. Interaction With GDPR and Other Laws in Netherlands

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Dutch cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in the Netherlands are supervised by Dutch authorities for cross-border services.

Foreign digital providers offering services in the Netherlands may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Dutch market.

15. Implementation Timeline in Netherlands

• Directive adoption: 2022
• National legislative amendments: Cyberbeveiligingswet (Cbw) submitted to the Tweede Kamer on 4 June 2025; plenary debate held 23 March 2026; not yet voted into law as of April 2026
• Entry into force: Not yet enacted; entry into force currently expected in Q2 2026; the Wbni continues to apply in the interim; some provisions may be phased
• Commission notification: The Netherlands missed the 17 October 2024 transposition deadline; received an EC reasoned opinion on 7 May 2025; CJEU referral remains possible if transposition is not completed promptly
• Compliance milestone: No mandatory NIS2 obligations are currently active; voluntary registration via mijn.ncsc.nl has been available since 17 October 2024; mandatory obligations will commence on entry into force of the Cbw

The Netherlands missed the EU NIS2 transposition deadline of 17 October 2024 and remains under EC infringement proceedings. The Cyberbeveiligingswet (Cbw) is progressing through parliament and is expected to enter into force in Q2 2026. Entities should register voluntarily with the NCSC and complete readiness assessments now in preparation for mandatory obligations.

16. Key Takeaways for SMEs in Netherlands

• Medium-sized entities in covered sectors will automatically be within scope once the Cyberbeveiligingswet (Cbw) enters into force, expected Q2 2026. Use the RDI's NIS2 self-assessment tool now to determine your likely classification.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory. The Cbw includes a mandatory management cybersecurity training obligation, and board members may be held personally liable for governance failures.
• Incident reporting follows 24h / 72h / 1 month deadlines, with a dual reporting obligation to both the NCSC (as national CSIRT) and the relevant sector competent authority. Entities must also notify affected service recipients.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• The Cbw is not yet in force, but obligations are coming. Register voluntarily with the NCSC at mijn.ncsc.nl now, complete the RDI self-assessment, and begin implementing NIS2-aligned measures. Note that supervision and enforcement will be carried out by sector-specific competent authorities — not the NCSC — under the Dutch multi-regulator model.

FAQ: NIS2 Netherlands SME Guide