The European NIS2 directive in the Netherlands will be implemented later than planned. It is expected to be transposed into national legislation in the second quarter of 2026. Outgoing Minister David van Weel of Justice and Security informed the House of Representatives about this.
The deadline for this was Oct. 18, 2024. A day before it expired, Van Weel announced that the Netherlands was expected to implement NIS2 in the third quarter of this year. "The goal previously communicated to your Chamber that the Cybersecurity Act and the Critical Entity Resilience Act will come into effect in the third quarter of 2025 is unfortunately no longer feasible. I hope that both laws can take effect in the second quarter of 2026," the minister's letter reads.
Van Weel attributes the delay to the scope and complexity of the process. The Netherlands is not the only EU country that has not yet implemented the NIS2 directive. Bulgaria, Cyprus, Denmark, Germany, Estonia, Finland, France, Hungary, Ireland, Latvia, Luxembourg, Austria, Poland, Portugal, Slovenia, Spain, Czech Republic and Sweden have also missed the deadline.
Click here for Van Weel's letter to the House of Representatives.
