NIS2: Netherlands to miss EU cyber law deadline

Experts in technology and data law and risk at Pinsent Masons in Amsterdam said the recent announcement made by the Ministry of Justice and Security should not delay their preparations for NIS2.

NIS2 builds on the original NIS directive which took effect in the EU in 2018. It is broader in its scope than the original directive, meaning more organisations across both the public and private sectors will be subject to cybersecurity risk management and incident reporting obligations than before.

Pharmaceutical companies and operators of hydrogen production, storage and transmission are among the organisations that will be subject to the strictest requirements under the tiered system of regulation NIS2 provides for. Some businesses that have only been subject to the lighter touch framework under the original NIS directive will also now find themselves subject to the stricter rules – including cloud computing providers.

Manufacturers of computers and vehicles, businesses engaged in food production and processing, chemicals companies and waste management providers are among the businesses that will face lighter touch regulation under NIS2, such as less burdensome record keeping duties in respect of the cybersecurity measures they must take to comply with the legislation.

NIS2 came into force in January 2023 but does not need to be implemented in the national laws of EU member states until 17 October 2024. However, in a letter to the Dutch parliament, justice and security minister Dilan Yeşilgöz-Zegerius explained that the Netherlands will miss this deadline, citing the “extensive and complex process” of implementation as the reason.

Yeşilgöz-Zegerius said: “Transposing the directives into national law will require more time than initially expected… Given the necessary follow-up steps in the legislative process, I conclude that the European Commission's implementation deadline of 17 October 2024 … will not be met.

The minister’s letter set out an indicative timeframe for next steps in the NIS2 implementation process in the Netherlands: a consultation on draft legislative proposals is expected to be opened before the summer, with the responses received to inform the formation of a bill that will also take into account advice from the Dutch data protection authority. The bill will then be submitted to advisers in the Dutch Council of State for its opinion, with the aim of then presenting the bill to parliament in the autumn. The government in the Netherlands said it hopes the whole legislative process can be completed before the end of 2024 but that it is “difficult to make a concrete estimate of the delay”.

Michelle Seel of Pinsent Masons said: “Although the implementation deadline will not be met, companies in the Netherland should start to incorporate the NIS2 requirements into their businesses, to safeguard their services and protect their network and information systems against cybersecurity risks and be ready for when the directive has been fully implemented.”

In the Netherlands, the first NIS directive is implemented by way of the Wet beveiliging netwerk-en informatiesystemen (Wbni). According to its letter, while new Dutch legislation implementing NIS2 is delayed, the Dutch government will consider the extent to which the existing Wbni provisions can be interpreted in a way that corresponds with the updated requirements in the EU legislation.

Jeroen Schouten of Pinsent Masons said that approach is possible under EU case law, albeit with “limitations”.

Schouten said: “In principle, according to standing case law developed by the Court of Justice of the EU (CJEU), a court will always need to explain local law in light of the wording and general purpose of a concerned directive in order to reach its intended result, irrespective of whether the relevant local law precedes the directive. There are generally four limitations to such an interpretation, however. Those limitations are, first, the principle of legal certainty; second, that interpretation should not lead to direct obligations on private individuals; third, that interpretation should be within the limits of local applicable procedural law; and fourth, that the court should not venture into the field of the lawmaker.”

“As a result, generally speaking, the Dutch government will be able to act as if any amendments to Wbni it envisages for implementing NIS2 are in effect, but it will not be able to enforce those provisions on business until they become effective in Dutch law,” he said.

Schouten said there could be practical implications for businesses in the Netherlands if the government does begin to consider how NIS2 applies in the country before the process of legislative reform completes.

He said: “Businesses should regard the current window of delay as extra time bought for implementation of the NIS2 requirements but should realise that the Dutch government may well be in a position to start enforcing earlier than expected after the amended Wbni has entered into force.”