NIS2 in the Netherlands: What the Cyberbeveiligingswet means & how to comply
The Netherlands now has its NIS2 law. On 7 July 2026, the Dutch Senate adopted the Cyberbeveiligingswet (Cbw), which transposes the EU NIS2 Directive into national law. It takes effect on 15 August 2026, with no transition period. From that date, organizations in scope must meet the duty of care and the duty to report.
Who this guide is for: Security, IT, risk, compliance, and operations leaders at Dutch organizations that may fall under NIS2, and the suppliers who serve them. No prior NIS2 knowledge assumed.
What's inside: What the Cyberbeveiligingswet is, who is in scope, the four core obligations, penalties, the OT and IoT blind spot most programs miss, and a practical first-steps checklist.
Official source: The authoritative government reference is the NCSC at ncsc.nl/cyberbeveiligingswet-nis2. Check scope and register at mijn.ncsc.nl.
What is the Cyberbeveiligingswet?
The Cyberbeveiligingswet is the Dutch implementation of NIS2 (Directive (EU) 2022/2555), the EU's updated cybersecurity directive. It replaces the 2018 Wet beveiliging netwerk- en informatiesystemen (Wbni) and widens both the range of organizations covered and the obligations they carry. A directive does not bind organizations directly until a member state turns it into national law. The Netherlands missed the EU's October 2024 deadline; the Cbw was passed by the House of Representatives in April 2026 and adopted by the Senate on 7 July 2026. On the same day, the Senate also adopted the Wet weerbaarheid kritieke entiteiten (Wwke), implementing the EU Critical Entities Resilience Directive. The two form one package: the Cbw for cybersecurity, the Wwke for physical resilience.
Who is in scope?
Your organization falls under the Cyberbeveiligingswet if all three of these are true: you operate in a sector listed in Annex I or II of NIS2 (energy, transport, banking, water, healthcare, digital infrastructure, public administration, food production, manufacturing, chemicals, and more); you are medium-sized or large (broadly 50+ staff, or turnover or balance sheet above 10 million euros); and you provide services in the EU. Some high-risk entities are in scope regardless of size, and all government bodies, including municipalities, provinces, and water authorities, are also in scope. The Dutch government estimates around 8,000 organizations are affected, and many do not yet realize it. If unsure, the Dutch Authority for Digital Infrastructure (RDI) offers a self-assessment tool.
Essential versus important. In-scope organizations are split into essential entities (proactive supervision, meaning regulators can audit without a trigger) and important entities (reactive supervision). Both carry the same core obligations; the difference is in how they are supervised.
The supply chain catch. Even if you are not directly in scope, in-scope customers must manage supplier risk, so they pass requirements down by contract. Many mid-sized companies will feel NIS2 first through a customer's procurement questionnaire, not a regulator.
The four core obligations
- Duty of care. Run a risk assessment and take appropriate technical and organizational measures. The law is principle-based, so rather than a checklist it names areas your measures must cover: risk and security policy, incident handling, continuity and backup, supply chain, secure acquisition and maintenance (including vulnerability handling), access control and MFA, encryption, and assessing whether the measures actually work.
- Duty to report. For significant incidents: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month. Cyber incidents go to the CSIRT, coordinated by the NCSC.
- Registration. In-scope entities must register in the entity register at the NCSC, via mijn.ncsc.nl, once the law is in force.
- Management accountability. The board is responsible for cyber risk management, must complete training, and can be held personally liable. This is what moves NIS2 up the boardroom agenda fastest.
What happens if you don't comply?
Enforcement escalates from corrective orders to substantial fines reaching into the millions of euros, and, for the most serious failures, measures against responsible individuals. For many organizations, the more immediate risk is commercial: losing contracts with in-scope customers who can no longer accept an unmanaged supplier.
The blind spot: OT and IoT
The duty of care applies to your whole environment, not just the IT you already secure. That includes two categories most programs under-count. Operational technology (OT) is the industrial side: PLCs, SCADA, and building management systems for HVAC, power, and access. The Internet of Things (IoT) is the office-automation side: badge readers, cameras, smart sensors, and connected facilities devices. Both sit on your network, are rarely patched, and often cannot be seen in standard security tooling. That is a compliance problem, because an asset you cannot see is one you cannot prove you are managing. OT is hard to assess safely, since aggressive IT-style scanning can disrupt sensitive devices, so it often goes unassessed. The problem? The risk doesn’t disappear; it stays invisible, which is the opposite of what NIS2 requires.
Holm Security helps you assess your OT environment with risk-based prioritization to help you get - and stay - NIS2 compliant.
How to comply: practical first steps
- Confirm your scope. Establish whether you are an essential or important entity, and whether you are also a critical entity under the Wwke. Use the RDI self-assessment if unsure.
- Register with the NCSC at mijn.ncsc.nl once the law is in force.
- Run a gap analysis against the duty-of-care areas, with attention to supply chain risk and MFA - common weak points.
- Get full asset visibility, including OT and IoT. You cannot manage or report on what you cannot see. This is the step most often overlooked.
- Build the evidence. Move from having policies to demonstrating they work through assessment, testing, and regulator-ready documentation.
- Brief and train the board. Management training is a legal requirement, and leadership needs to understand its risk of exposure.
With enforcement starting on 15 August 2026, the organizations in the strongest position are those building evidence now, rather than waiting for a regulator, a customer questionnaire, or an incident to force it.
Where vulnerability management fits in
Much of the duty of care reduces to a discipline most teams recognize: know your assets, know where they are exposed, address those weaknesses systematically. ENISA recommends vulnerability management as an NIS2 measure, and it maps onto the duty-of-care areas around asset management, secure maintenance, and vulnerability handling. The part most often missed is extending it to OT and IoT. That is our focus at Holm Security: a European vulnerability management platform, trusted by more than 1,500 organizations, that brings IT, network, cloud, identity, OT, and IoT into one view of risk - assessed on your terms.
See how Holm Security covers OT and SCADA, or contact our local team in the Netherlands.
FAQ
-
When does the Cyberbeveiligingswet take effect?
15 August 2026, with no transition period.
-
Is NIS2 the same as the Cyberbeveiligingswet?
NIS2 is the EU directive; the Cyberbeveiligingswet is the Dutch law that makes it binding nationally.
-
How do I know if my organization is in scope?
Likely in scope if you are in an Annex I or II sector, are medium or large (50+ staff or over 10 million euros), and provide services in the EU. Some high-risk entities and all government bodies are covered regardless of size. The RDI self-assessment can confirm.
-
Does NIS2 cover OT and IoT?
Yes. The duty of care applies to your whole environment. OT (industrial control and building systems) and IoT (connected office and facilities devices) are in scope, and are usually the least visible part of it.
-
Where do I register?
In the entity register at the NCSC, via mijn.ncsc.nl, once the law is in force.




