What is Cyberbeveiligingswet
(NIS 2 Directive)

What is the Cyberbeveiligingswet?

The Netherlands' Cyberbeveiligingswet ( Cbw ) is the national implementation of the NIS2 Directive, a cybersecurity framework designed to strengthen digital resilience across critical and important sectors in the European Union. The Cbw introduces stricter requirements for Dutch organizations to improve cyber resilience, enhance incident response, and ensure the continuity of essential services.

The EU requires each member state to enact its NIS2 policies into national law. The Dutch government is expected to enforce the Cbw by Q2 2026.

Which organizations fall under this act?

The Cbw applies to organizations categorized as:

1. Essential entities : Organizations providing critical services to society and the economy, such as energy, transportation, and healthcare.
2. Important entities : Organizations that play a significant role in economic and societal activities, including manufacturing, digital service providers, and food production and distribution.

Why the Cyberbeveiligingswet matters

Ensuring compliance with the Cbw is crucial to secure critical infrastructure while maintaining operation continuity. Non-compliance can lead to significant penalties under NIS2, including:

• Up to €10 million or 2% of global annual turnover for essential entities.
• Up to €7 million or 1.4% of global annual turnover for important entities.

What are the key requirements and obligations of the Cyberbeveiligingswet?

Organizations that fall under the Cbw must comply with the following obligations: (only headings should be present, collapsible boxes)

1. Duty of care (Zorgplicht)

   Organizations covered by the Cbw have a duty of care to protect their services and information. They must take appropriate, risk-based measures to ensure continuity and security. These requirements are further specified in the Cbw itself, the Cybersecurity Decree (Cyberbeveiligingsbesluit), and sector-specific ministerial regulations.

2. Registration obligation (Registratieplicht)

   Organizations covered by the Cbw must register with the National Cyber Security Centre (NCSC) by submitting their details to the register of entities (entiteitenregister). This registration, currently voluntary for some entities, will become mandatory once the Cbw takes effect and allows organizations to receive cyberthreat information.

3. Reporting obligation (Meldplicht)

   Significant cyber incidents faced by the organization must report to the national computer security incident response team. Below are the deadlines specified by NCSC:

   • Early warning within 24 hours.
   • Detailed incident notification within 72 hours.
   • Final report after resolution.
   Voluntary reporting (Vrijwillige melding)

   Organizations are also encouraged to voluntarily report cybersecurity incidents or threats.

4. Administrative accountability and training (Bestuurlijke aansprakelijkheid en training)

   The Cbw requires members of management to undergo cybersecurity training. This training enables them to:

   • Identify risks to network and information systems.
   • Evaluate risk management measures.
   • Understand the impact of risks and mitigation strategies.
   • Management has up to two years after the law comes into effect to complete this training.
5. Supervision (Toezicht)

   Organizations under the Cbw will be under supervision to assess its compliance. Supervisory authorities monitor compliance with the requirements posed in the law.