Skip to main content
ImplementedNIS2

NIS2 in Netherlands

The Netherlands transposed NIS2 via the Cyberbeveiligingswet (CBW), which entered into force in late 2024. NCSC-NL and sector-specific regulators share supervisory duties.

Transposition law
Cyberbeveiligingswet (CBW)
In force
17 October 2024
Competent authority
NCSC-NL: National Cyber Security Centre
Max fine (Essential)
€10 million or 2% of global annual turnover
Max fine (Important)
€7 million or 1.4% of global annual turnover
Full enforcement
January 2025

Key Deadlines

CBW in force
17 October 2024
Registration deadline
17 January 2025
Full enforcement
1 January 2025

Competent Authority

NCSC-NL: National Cyber Security Centre
Coordination and support; sector supervisors handle enforcement
https://www.ncsc.nl

The Netherlands uses a multi-authority model where sector-specific regulators (Agentschap Telecom for ICT/telecom, DNB for banking, NZa for health) act as competent authorities under the CBW umbrella. NCSC-NL provides cross-sector threat intelligence.

Registration Process

Register through your sector-specific regulator. For most digital service providers and general ICT entities, register via Agentschap Telecom. Healthcare entities register via NZa; financial entities via DNB.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Registration with the relevant sector supervisor
  • 2Incident notification within 24 hours (early warning) and 72 hours (full notification) to NCSC-NL
  • 3Annual risk assessment using the NCSC-NL cyber risk assessment methodology
  • 4Duty of care (zorgplicht) requiring proportionate security measures
  • 5Notification of significant changes to services or infrastructure
  • 6Supply chain due diligence requirements

National Additions

The Netherlands added a general 'duty of care' (zorgplicht) concept broader than Article 21's enumerated measures
Dutch water management authorities (waterschappen) are explicitly included
The CBW introduced a dedicated incident notification portal at meldportaalcyberincidenten.nl

FAQ: NIS2 in Netherlands

Which Dutch regulator is responsible for my sector?
Agentschap Telecom handles telecom and most digital services. De Nederlandsche Bank (DNB) covers banking and financial markets. The Nederlandse Zorgautoriteit (NZa) covers healthcare. The national rail and transport authority handles transport. When in doubt, contact NCSC-NL for guidance.
Does the zorgplicht differ from Article 21 NIS2?
Yes. The Dutch zorgplicht is a principles-based obligation requiring entities to implement 'appropriate and proportionate' measures, it is broader than Article 21's enumerated list and allows the regulator to require additional controls based on risk.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment