Transposing the NIS2 Directive into the Cybersecurity Act (Cbw) and the CER Directive into the Critical Entity Resilience Act (Wwke) is taking more time than expected. In fact, this is a vast and complex process that requires diligence.
Thus, the Netherlands will not make it to transpose the directives into national legislation before the October 17, 2024 deadline. The Cbw is expected to take effect in the 3rd quarter of 2025. Nevertheless, parts of the NIS2 directive already apply in the period between Oct. 17 and the date the law enters into force. Below you can read how and what.
In the period from October 17, 2024 to the date of entry into force of the Cbw, organizations covered by the directives (including governments) are not yet subject to any resulting obligations. The obligations under the Act and its supervision will take effect from the date of entry into force. However, organizations do have certain rights in some cases. This is because of the direct effect of some provisions in the NIS2 Directive. Consider, for example, receiving assistance in the event of an incident from a Computer Security Incident Response Team (CSIRT).
For organizations currently already covered by the Network and Information Systems Security Act (Wbni), the rights and obligations under that act will continue to apply until the Cbw enters into force, thereby repealing the Wbni.
The Rijksoverheid explicitly calls on organizations to get started already and not to wait until the Cbw and Wwke are in place. After all, the risks that organizations and systems face are already there now. View more information on how organizations can prepare(link to other website) for the arrival of both laws.
