Netherlands late with NIS2 implementation: law unlikely to take effect until spring 2026

The NIS2 Directive, adopted by the EU in 2022, is the renewed legal framework to strengthen the cybersecurity and resilience of critical infrastructure and services. It replaces the earlier 2016 NIS Directive and significantly expands its scope. In addition to sectors such as energy, transportation, banking and healthcare, the rules now include governments, aerospace, producers of critical goods, food production, postal services and many digital service providers, among others.

NIS2 sets stricter requirements for risk management, supply chain security and incident reporting (within 24 hours). Directors are also held directly accountable for compliance and must undergo periodic cybersecurity training.

Delay in the Netherlands

Although the Dutch law was originally supposed to take effect on January 1, 2025, it is now almost certain that it will not take effect until the second quarter of 2026. The legal text is ready and there is broad political support, but implementation was delayed. Pressure from Brussels is mounting as the Netherlands is formally in violation.

Sectors prepare

Despite the delay, many sectors are already moving: more than 100 industries are working on audits, certifications and improved risk management. Infrastructure, such as hotlines and accompanying standards, is largely in place, including through the NIS2 Quality Mark.

A report by the European agency ENISA warns that six critical sectors - including IT services, public administration and healthcare - still face significant challenges in complying with NIS2. In contrast, electricity, telecom and banking score better due to existing stringent regulations and investments.

Non-compliance with NIS2 can result in fines of up to €10 million or 2% of global annual sales, whichever is higher.