In the week of Nov. 10, 2025, the Internet consultation of the ministerial regulation under the Cybersecurity Act will begin. The consultation gives everyone the opportunity to respond to the draft text. The consultation period will run through December 21, 2025.
The Cybersecurity Act is the transposition into national law of the European NIS2 Directive. This directive aims to strengthen the resilience of the member states of the European Union by ensuring that organizations are sufficiently resilient against a variety of threats. The Rijksoverheid is therefore calling on organizations to prepare for the arrival of the law and the underlying regulations.
Internet consultation on the ministerial regulation under the Critical Entity Resilience Act (Wwke) is also starting. The Wwke is the transposition into national law of the CER Directive, on the resilience of critical entities.
The ministerial regulations are the further elaboration of the Cyber Security Act, the Critical Entity Defensibility Act, the Cyber Security Decree and the Critical Entity Defensibility Decree. The Cyber Security Decree and the Critical Entity Resilience Decree are the general orders in council (amvb's) under the Acts. Whereas the laws and amvb's lay down the broad outlines and general obligations, the ministerial regulations actually contain the more detailed, sector-specific provisions.
Most departments will draw up their own ministerial regulations for the sectors for which they are responsible. An important part of these regulations is the elaboration of the obligation to report incidents in the form of threshold values that determine in which cases a report is mandatory.
In developing the ministerial regulations, there has been intensive coordination between the departments so that where possible the regulations are the same and do not contradict each other. Indeed, several organizations will fall under the regulations of one department as well as another.
Six ministries - the Ministries of the Interior and Kingdom Relations (BZK), Infrastructure and Water Management (I&W), Economic Affairs (EZ), Climate and Green Growth (KGG), Agriculture, Fisheries, Food Security and Nature (LVVN) and Health, Welfare and Sport (VWS) - will consult their draft regulations under the Cybersecurity Act this week. The Ministry of Education, Culture and Science (OCW) will offer its ministerial regulations at a later date.
Ministerial regulations of the ministries of I&W, EZ, KGG and LVVN
The detailed regulations on the duty of care have been jointly drawn up by the ministries of I&W, EZ, KGG and LVVN for the sectors covered by these ministries. A joint elaboration of the duty of care was chosen so that the security requirements for entities are the same. This is particularly efficient and effective for companies that fall under multiple sectors and therefore have to deal with one set of requirements.
In the spring of 2025, it was possible to react to this joint elaboration of the duty of care via an Internet consultation. In response, adjustments were made that can be found in the ministerial regulations before you from the relevant ministries.
The criteria for mandatory reporting incorporated in the draft regulations have been largely sector-specific and therefore do differ.
Ministerial regulations BZK and VWS
The Ministry of the Interior and the Ministry of VWS are now making their full ministerial regulations available for consultation.
Underlying ministerial regulations are also being developed for the Critical Entity Resilience Act. More information on this The Ministry of IenW and the Ministry of KGG are now offering their ministerial regulations for consultation. Consultation on the regulations of the Ministry of the Interior and Kingdom Relations, the Ministry of Health, Welfare and Sport and the Ministry of LVVN will follow shortly.
Anyone can respond to the ministerial regulations at www.internetconsultatie.nl. Reaction is possible from November 10 to December 21, 2025. After the consultation period ends, all responses will be reviewed by department and processed where appropriate.
Use the links below to view the drafts of the ministerial regulations and to participate in the consultation:
In June 2025, the Cyber Security Act and Critical Entity Resilience Act bills were submitted to the House of Representatives and the drafts of the underlying executive orders were submitted to the House of Representatives for information.
In the reports on the bills, questions were raised from the House of Representatives about the bills and the orders in council. Those questions were answered by the government in a memorandum following the report. The notes can be viewed here:
At the end of this year, the amvb's will be submitted to the Advisory Division of the Raad van State for its opinion.
The government aims for the laws, executive orders and ministerial regulations to come into force in the second quarter of 2026.
The measures that organizations must take from the upcoming Cybersecurity Act take time and attention. That is why the Rijksoverheid advises organizations not to wait until the Act takes effect, but to make preparations in advance. The NCSC provides extensive information on the steps your organization can already take to prepare.
The NCSC has an extensive FAQ on the Cybersecurity Act. The NCTV has also published a lot of additional information and Q&A on rights and obligations, planning and the legislative process. Using the Cybersecurity Act referral tree, you get a comprehensive overview of the responsible ministries, CSIRTS and regulators by sector. The NCTV also has more information on the Critical Entity Resilience Act
