Netherlands moves closer to delayed NIS2 implementation

The Dutch House of Representatives has approved the country’s draft new cybersecurity legislation – the Cyberbeveiligingswet (Cbw) – which takes it a significant step closer to implementing the requirements of the EU-wide NIS2 directive.

Approval is now due from the Dutch Senate, which would enable the law to enter force this year – two years after it was originally intended to be made law by the EU.

The new act is intended to strengthen digital resilience requirements for companies and other bodies in the country to ensure economic and socially important systems are able to function, along with sister legislation around critical entity resilience.

Jeroen Schouten, a technology expert with Pinsent Masons in Amsterdam, explained the legislation would mean the Netherlands opting for a decentralised supervisory model, with regulators in separate sectors overseeing a coordinated national approach to compliance.

“This reflects a deliberate policy choice to build on existing regulatory structures rather than introducing a single central cybersecurity authority,” he said.

“The Dutch legislator has largely opted for a minimum harmonisation approach, meaning that the Cbw does not materially deviate from the requirements set out in NIS2. 

“This should provide a degree of regulatory consistency for organisations operating across multiple EU member states.”

The Netherlands is not alone in delays to implementing the new requirements, with other countries – including Germany – having had issues in bringing it to fruition in time.

The impact of the new legislation will be evaluated within the first two years, along with an implementation assessment inside the first 18 months that will examine the regulatory burden and reporting processes the new law may create on businesses and organisations.

With a major hurdle towards implementation now cleared, explained Nienke Kingma – a data protection expert with Pinsent Masons in the Netherlands - companies in the country should step up their cybersecurity preparations.

“The approval of the Cbw confirms that organisations operating in the Netherlands should accelerate their NIS2 readiness programmes,” she said.

“While the Cbw does not introduce major substantive deviations from NIS2, its broad scope and sectoral supervision model are likely to have a significant practical impact on organisations, especially those that were previously outside the scope of Dutch cybersecurity regulation.”