Audit41Readiness
🇳🇱Netherlands

NIS2 in Netherlands: What your organisation must do.

Cyberbeveiligingswet (Cbw) · In force Enforcement: October 1, 2026

Netherlands has transposed the EU NIS2 Directive. If your organisation operates in a covered sector, you are likely in scope and must comply with NCSC-NL / RDI (Rijksinspectie Digitale Infrastructuur) requirements.

189d 9h 9m

Full enforcement

The Cyberbeveiligingswet enters full force October 1, 2026. EU baseline obligations apply now.

Full enforcement starts October 2026 — EU baseline obligations apply now.

Check your NIS2 scope — free →See Audit41 Readiness →

Entity classification

Are you an Essential or Important Entity?

Essential Entity

Annex I sector + large enterprise (250+ employees or €50M+ turnover)

Penalties: up to €10M or 2% of global turnover

Proactive supervision — authorities can audit at any time

Important Entity

Annex I medium enterprise or Annex II medium/large enterprise

Penalties: up to €7M or 1.4% of global turnover

Reactive supervision — investigated when non-compliance is indicated

Not sure which classification applies to your organisation? The free self-check takes 3 minutes and tells you exactly where you stand — including Netherlands-specific rules. Start free self-check →

What Netherlands requires

Your obligations under Cyberbeveiligingswet (Cbw).

1

EU baseline NIS2 obligations apply now from October 18, 2024

2

Begin gap assessment and remediation immediately — October 2026 is closer than it appears

3

Register with NCSC-NL / RDI once registration portal opens

4

Implement Article 21 risk management measures

5

Report significant incidents within 24 hours (early warning) and 72 hours (full report)

6

Management body accountability — board must approve cybersecurity measures

7

Supply chain security due diligence

ISO 27001 in Netherlands

ISO 27001 is a useful framework for NIS2 compliance in the Netherlands but no formal presumption of conformity exists under Dutch law.

Sectors in scope in Netherlands

Energy(supervised by ACM)TransportBanking and financial market infrastructure(supervised by DNB/AFM)HealthDrinking waterWastewaterDigital infrastructureICT service managementPublic administrationTelecoms(supervised by ACM)Postal and courier servicesManufacturingFood production

What makes Netherlands different

The Cyberbeveiligingswet was enacted but full enforcement starts October 1, 2026 — this is not a reason to delay preparation.

Finance supervised by DNB/AFM. DORA applies to financial entities and takes precedence over NIS2.

Energy and telecoms supervised by ACM (Authority for Consumers and Markets).

Start your gap assessment now — October 2026 allows just enough time to remediate before enforcement begins.

Know exactly where you stand on NIS2 in Netherlands.

The free self-check takes 3 minutes. It applies Netherlands-specific rules, tells you your entity type, and recommends the right assessment plan.

Start Netherlands self-check — free →