Transposing NIS2 into Dutch law (Cyberbeveiligingswet), is further postponed. It is now expected mid-2026. European countries were required to implement their national law by October 2024. Last year it was already clear the Netherlands was not going to make this date. The (now outgoing) cabinet issued an estimate of Q3 2025 last year. A month ago, the European Commission sent a letter (“reasoned opinion”) to no less than 19 EU countries calling on them to come up with a plan. For the Netherlands, the response was therefore further delay. NIS2 implementation in the Netherlands looks to get a delay of almost two years after the required date.
Organizations continue to be at risk . Cyber risks are consistently in the top 3 of the largest business risks. The absence of clear legal obligations and associated board liability does not help the digital resilience of Dutch society. It is therefore very important that organizations take steps now, or continue their implementation in order to be prepared for possible incidents and to be able to recover quickly from them. An additional advantage is that once the law actually comes into effect, your organization is already largely compliant.
The best time to take action is now
The best time to take action is now, for example by scheduling a NIS2 boardroom training or to get the NIS2 Quality Mark !
.png)