The Netherlands missed the 17 October 2024 deadline to transpose the NIS2 Directive, leaving organizations in scope in a regulatory grey zone for nearly two years. That period is ending. The Cyberbeveiligingswet, the Dutch Cybersecurity Act, passed the Tweede Kamer on 15 April 2026 and now sits with the Senate, with the government targeting entry into force on 1 July 2026.
The three layers of the Dutch implementation, the Act, the Cyberbeveiligingsbesluit, and the sector regulations, are designed to take effect at once. There is no phased rollout and no grace period. Four enforcement-facing obligations activate the moment the law comes into force: 24, 72 hour and one-month incident reporting to the NCSC, mandatory registration with the competent authority, mandatory executive training backed by personal director liability, and active compliance auditing by sector regulators.
Our latest analysis sets out who is in scope, what each obligation means in practice, and the steps Dutch boards should take in the weeks before the law takes effect.
Read what Dutch boards need to confirm, assess and put in place before the Cyberbeveiligingswet takes effect.
Read the board guide