From NIS2 to National Law
The Dutch Cybersecurity Act (Cyberbeveiligingswet) is the national implementation of the European NIS2 Directive.
It establishes new rules for organizations in essential and important sectors to strengthen their digital resilience and report incidents that could impact critical operations.
By requiring mandatory risk assessments, incident reporting, and entity registration, the Act enables both the government and private sector to better manage cyber threats.
It represents a proactive response to the rising number and severity of cyberattacks, helping prevent large-scale societal and economic disruptions caused by digital incidents.
What Does the Cybersecurity Act Cover?
The new Act replaces the Network and Information Systems Security Act (Wbni) and significantly broadens its scope and requirements.
Under the law, organizations are divided into two main categories:
-
Essential entities – such as energy providers, telecom operators, water companies, and hospitals.
-
Important entities – including digital service providers, transportation companies, logistics firms, and manufacturers in strategic supply chains.
The law applies primarily to medium and large organizations — defined as those with 250 or more employees or €50 million in annual revenue.
However, smaller companies may also fall under the Act if their services are critical to society or integral to national infrastructure.
Key Obligations Under the Dutch Cybersecurity Act
Organizations classified under the Act must comply with three fundamental obligations that form the backbone of NIS2:
1. Security Obligation
Every organization must perform a risk assessment and implement technical and organizational security measures appropriate to their threat exposure.
This includes policies for access control, encryption, incident response, business continuity, and supply chain security.
2. Notification Obligation
Significant ICT incidents must be reported within 24 hours to the National Cyber Security Center (NCSC) or the sector-specific Computer Security Incident Response Team (CSIRT).
Timely reporting ensures coordinated response, mitigation, and intelligence sharing to limit damage.
3. Registration Obligation
All covered entities must register in the NIS2 Entity Register, including up-to-date contact information, sector classification, and relevant operational details.
This registration helps authorities maintain oversight and facilitate incident coordination.
Supervisory authorities will be empowered to audit organizations, issue guidance, and enforce penalties in cases of non-compliance — including administrative fines and corrective measures.
When Will the Cybersecurity Act Take Effect?
While the EU NIS2 Directive came into force on 17 October 2024, each member state is responsible for translating it into national law.
In the Netherlands, the Cybersecurity Act (Cyberbeveiligingswet) is expected to be enacted in Q3 or Q4 of 2025.
Until then, voluntary registration is strongly encouraged, giving organizations the opportunity to prepare early and avoid compliance stress once the law becomes mandatory.
Preparing for Compliance: What Organizations Should Do Now
Even before the Act officially takes effect, organizations can begin preparing by taking proactive steps, including:
-
Conduct a cybersecurity risk assessment — Identify critical assets, vulnerabilities, and suppliers.
-
Map your digital ecosystem — Determine which suppliers or third parties fall under NIS2 obligations.
-
Establish incident response and reporting procedures — Define roles, responsibilities, and escalation paths.
-
Document governance and accountability — Ensure leadership is informed and involved in cybersecurity decisions.
-
Engage trusted monitoring partners — Leverage continuous insights into vulnerabilities, breaches, and compliance gaps.
Taking these steps now not only helps you meet future legal obligations but also enhances operational resilience and stakeholder trust.
How RiskStudio Supports the Cybersecurity Act and NIS2 Readiness
At RiskStudio, we help organizations operationalize the requirements of the Cybersecurity Act — making compliance tangible, measurable, and efficient.
Our platform delivers end-to-end visibility into your digital risk landscape, both within your organization and across your supply chain.
Whether you’re identifying NIS2-relevant suppliers, assessing risks, or tracking incident trends, RiskStudio gives you the clarity and control you need.
With RiskStudio, you can:
-
Identify NIS2 entities and dependencies within your supplier network.
-
Monitor cyber hygiene and vulnerabilities in real time.
-
Receive alerts on data breaches, ransomware, or other incidents.
-
Group suppliers by critical process or department for structured follow-up.
-
Document evidence and track improvements for audits and reports.
By connecting compliance with live data and actionable intelligence, RiskStudio helps you move beyond checklists — toward continuous improvement and measurable cyber resilience.
It’s not just about ticking the compliance box.
It’s about taking control of your digital ecosystem.
Frequently Asked Questions (FAQ)
1. What is the Dutch Cybersecurity Act (Cyberbeveiligingswet)?
It’s the national law that implements the European NIS2 Directive in the Netherlands, setting cybersecurity obligations for essential and important entities.
2. Who does the Act apply to?
It applies to medium and large organizations in sectors such as energy, telecom, water management, healthcare, transportation, and digital services — as well as smaller companies critical to society.
3. What are the main requirements under the Act?
Organizations must meet three obligations: risk-based security measures, 24-hour incident reporting, and registration in the NIS2 Entity Register.
4. When will the Act come into force?
The Dutch Cybersecurity Act is expected to take effect in Q3 or Q4 of 2025. Voluntary registration is already encouraged.
5. What happens if an organization doesn’t comply?
Supervisory bodies may impose fines, corrective actions, or administrative sanctions depending on the severity of non-compliance.
6. How does RiskStudio help with compliance?
RiskStudio enables organizations to map suppliers, monitor risks, detect vulnerabilities, and document improvements — aligning digital operations with NIS2 and Cybersecurity Act requirements.
Conclusion
The Dutch Cybersecurity Act marks a crucial milestone in strengthening national and European cybersecurity.
It requires organizations not only to comply but to build lasting digital resilience through transparency, governance, and proactive risk management.
With RiskStudio, you gain the insights, visibility, and structure needed to turn compliance into confidence.
Together, they form the foundation for a more secure and resilient digital Netherlands.