Ongoing

On 21 May 2024, the Dutch government published a consultation document for the implementation legislation of the NIS2 Directive, the Dutch Cybersecurity Act (Cyberbeveiligingswet), which consultation period ended on 1 July 2024.

It is currently unknown when the Dutch Cybersecurity Act will be submitted as a bill before the Dutch Parliament.

• Closely modelled based on the NIS2 Directive.
• The scope has been extended to local governments (e.g. the provinces, municipalities and water boards) which have been assigned the status of essential entities. Educational institutions can be assigned the status of essential or important entities in individual cases based on a ministerial decree.
• Essential and important entities must report significant incidents to both the CSIRT and the competent authority (the relevant Ministry in that sector).
• Entities that are not important or essential can report incidents on a voluntary basis to a CSIRT.

According to the most recent update of the Dutch government dated 16 October 2024, the government currently anticipates that the draft NIS2 implementation legislation will be submitted to the Dutch Parliament in the first quarter of 2025 and will come into force in the third quarter of 2025, contingent on the progress of the legislation process within the Dutch Parliament.