Cybersecurity Act passes in lower chamber
On April 15, the Dutch House of Representatives passed the bills for the Cybersecurity Act (Cbw) and the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten). The Cbw transposes the European NIS2 Directive into Dutch law and replaces the current Wbni. This enshrines in law the duty of care, reporting obligation, and registration requirement for thousands of organizations in the Netherlands.
Organizations are responsible for determining whether they fall under the new legislation. They can conduct an initial assessment via an online evaluation to see how they are classified.
There are two qualification levels: 'essential' and 'important.' The first group is subject to proactive supervision: compliance with obligations is actively monitored, even if there are no incidents. The second group is subject to reactive monitoring, for example, if there are reports of non-compliance or in the event of an incident.
Essential entities include central and local governments, qualified trust service providers, providers of top-level domain name registries, and providers of DNS services. Medium-sized organizations that provide public electronic communications networks or services are also considered essential entities. The classification of organizations from other sectors depends primarily on their size category: large, medium, or small.
Government agencies that primarily carry out activities in the areas of national security, public safety, defense, or law enforcement—including the prevention, investigation, detection, and prosecution of criminal offenses—are excluded from the scope of the Cybersecurity Act.
The legislative proposals are now being sent to the Senate. A report, a memorandum, and a plenary debate are expected. The plan is for the law to take effect in the second quarter of 2026, but whether this is feasible depends on the pace at which the Senate processes the legislative proposal.
