NIS2 is now Dutch law: what changes on August 15th, and what to do about it

Approved on July 7th, in force on August 15th, and no transition period
July 8, 2026
Ivar van Duuren

On July 7th, 2026, the Dutch Senate (Eerste Kamer) approved the Cyberbeveiligingswet (Cbw), the law that brings NIS2 into force in the Netherlands. It takes effect on August 15th, 2026, with no transition period. The Senate passed the companion Wet weerbaarheid kritieke entiteiten (Wwke) the same day, applying from the same date.

From August 15th, cybersecurity is a legal obligation for an estimated 8,000 organisations directly, around 500 more under the Wwke, and for tens of thousands of suppliers through supply-chain requirements.

The law sets four core duties:

Duty of care: appropriate technical and organisational measures against cyber risk, including risk in your supply chain.
Incident reporting: report a significant incident to your CSIRT and the competent supervisor through the NCSC portal, an early warning within 24 hours, a fuller notification within 72 hours, and a final report within a month.
Registration: register your organisation with the NCSC, in the national register of entities.
Management-body duty: the board must approve the risk measures, follow training, and can be held personally liable.

If your organisation is in scope, the practical deadline is now, not August 15th. The date is the headline. The scope and the accountability are the real story.

The Netherlands was one of the last EU member states to transpose NIS2. Under the old Wbni, roughly 1,000 organisations were in scope. Under the Cbw that jumps to around 8,000, and many of them are discovering their in-scope status for the first time.

Two details generic coverage tends to skip:

There is no transition period. The legal basis and the supervisor's mandate exist from day one. Nobody expects an inspector on the doorstep on August 15th, but "we will start after the summer" is no longer a safe position.

The chain pulls you in. You do not have to be a named essential or important entity to feel this. If you supply one, the duty of care reaches you through their supply-chain obligations. Plenty of organisations that assume NIS2 is not their problem will be asked to prove otherwise by a customer.

And the part that changes the conversation: the management-body duty. The board has to approve the risk measures, sit through the training, and carry personal liability for getting it wrong. NIS2 is no longer something the IT team owns quietly. It is a board-level responsibility with a name attached to it.

Stripped to its core, the Cbw asks three questions you now have to answer on the record: are your security measures appropriate and documented, can you get the first report of a serious incident out within 24 hours, and can you show a supervisor the evidence when they ask?

The organisations least rattled by August 15th are the ones that already run a structured information security management system. NIS2's duty of care maps closely onto ISO 27001: risk management, incident response, access control, supplier management, business continuity. It is largely the same work, expressed for a different regulator. An organisation already certified to ISO 27001 typically adds NIS2 as a mapping exercise rather than a rebuild, because the controls and the evidence already exist and only need to be pointed at the new obligation.

That is the difference between a scramble and a scheduling decision. When the Municipality of Waterland set out to meet the BIO standard ahead of the 2024 government deadline, the hard part was not the requirements, it was having a structure to lean on. With one system holding clear ownership, organised tasks and audit-ready evidence, meeting the deadline was about running the process, not inventing it.

That is exactly the position NIS2 now puts thousands of Dutch organisations in.

If August 15th applies to you, four moves this month:

1. Confirm scope. Decide whether you are an essential or important entity, or a supplier to one. If you are a supplier, the question is coming from a customer, answer it before they ask.
2. Map what you already have against the duty of care. If you hold ISO 27001, most of the work is done and needs mapping, not building.
3. Stand up the obligations that are genuinely new: phased incident reporting (early warning within 24 hours, follow-up within 72), registration with the NCSC, and evidence you can produce on demand.
4. Get the board in the room. The management-body duty and personal liability mean this needs a named owner, not an informal nod.

ISOPlanner™ gives you one structure for exactly this: NIS2 and ISO 27001 mapped together, ownership made visible and evidence ready before anyone asks for it, all inside the Microsoft 365 environment your team already works in.

With no transition period, or, as one ISOPlanner™ partner puts it: "Compliance should not be an annual sprint, but a logical part of daily practice." From August 15th, that is exactly the position worth being in.
Let us show how ISOPlanner™ supports NIS2

Related Posts