On June 2, 2025, the Cybersecurity Bill was officially submitted to the House of Representatives. This law implements the European NIS2 guideline into Dutch law and the goal of strengthening the digital resilience level of essential and important organizations in EU member states.
What does the cybersecurity law entail?
The Cybersecurity Act is designed to increase the digital resilience of organizations. Among other things, the law should require companies to ensure they take measures against cybersecurity risks and report significant incidents to the government.
This law is an important step in strengthening the digital resilience of the Netherlands. For organizations, it means an expansion of responsibilities and obligations in the area of cyber security. It is important that organizations proactively prepare for the changes in order to meet the new requirements.
Expected entry into force
The original planning aimed for an enactment in the third quarter of 2025. This proved impossible due to recent political developments. The responsible policy department of the Ministry of Justice & Security (the NCTV)has confirmedThat the intended entry into force is scheduled for the second quarter 2026. This means that any organization covered by the law would then be legally obliged to comply with the requirements of the NIS2 Directive. The feasibility of this depends in part on the progress of the parliamentary consideration of the bill.
Don't wait, prepare
It is estimated that over 8,000 organizations will fall under the scope of the Cybersecurity Act. These include sectors such as energy, transportation, healthcare, digital infrastructure and financial services. Despite the legislative delay, it is important for these organizations to prepare for the upcoming obligations in a timely manner. After all, the risks organizations face are already occurring now. The central government is therefore calling on organizations to prepare for the arrival of these laws and the underlying regulations. The NCSC provides a comprehensive roadmap that your organization can already put in place in preparation.
Sources: