Dutch NIS2 rollout faces further delays
The Dutch government has again delayed its implementation of the European NIS2 directive, Justice and Security Minister David van Weel announced in a letter to parliament this week.
In the letter, Van Weel announced that the implementation of NIS2, as well as the related Critical Entities Resilience (CER) directive, won’t be completed before the second quarter of 2026. Realistically, the minister said, the final timeline could slip into the second half of next year, depending on parliamentary progress.
Impact
The previously communicated ambition of the third quarter of this year is no longer feasible, Van Weel states in the letter. Considering that the laws will impact Dutch organizations significantly, transposition into national legislation is turning out to be an extensive and complex process.
Due to that impact on organizations, it was decided to open the implementation bills for internet consultation, even though that wasn’t mandatory for implementation legislation. “This internet consultation has yielded valuable responses and has led to, among other things, adjustments to the bills and additions to the accompanying explanatory memoranda,” Van Weel says.
Delays
This is not the first delay. NIS2, adopted at the European level in early 2023, was supposed to be transposed into national law by all EU member states by October 17, 2024. The Netherlands initially aimed to meet that deadline, but quickly pushed it back to 2025. Now, the earliest estimate sits a full year beyond the EU deadline.
The reasons behind the delay are a mix between legislative complexity and political distraction. The NIS2 directive expands the number of sectors that must meet cybersecurity obligations, from energy and healthcare to financial services and transport. It also adds stricter requirements for governance, reporting, and supply chain security. According to the Dutch government, implementing all of this requires significant legal and administrative groundwork. But progress has been further hampered by the fall of the cabinet, causing a legislative traffic jam in The Hague.
Uncertainty
Meanwhile, Dutch businesses that fall under the new rules face more uncertainty. Without a national law in place, companies don’t yet know exactly what their compliance obligations will be. In sectors like digital infrastructure or cloud computing, where cross-border operations are common, this lack of clarity is already creating headaches. Some neighboring countries, such as Belgium, have already transposed NIS2 and are enforcing compliance, leaving Dutch firms operating in two legal worlds.
Despite the delays, experts warn that companies shouldn’t wait around for the government to catch up. Many of the NIS2 requirements, such as having a proper incident response plan or mapping supply chain dependencies, are best practices in any case. Legal obligations or not, the cyber risks these rules are meant to address aren’t slowing down.
