The draft Cybersecurity Act has been submitted to the Dutch House of Representatives. This legislation represents the Netherlands’ implementation of the European NIS2 Directive, which should already have come into force in October 2024.
The contents of the proposal hold no major surprises: the reporting obligation, duty of care, and other core elements from the NIS2 Directive are included. The specific details will follow later in a General Administrative Order (AMvB).
The House of Representatives will now debate and vote on the bill. Given the increasing geopolitical tensions, the hope is that this process will not be delayed. After approval in the House, it will proceed to the Senate.
A definitive date for entry into force has not yet been set. However, government sources have already indicated that the third quarter of 2025 is no longer realistic. For companies that wish to prepare, having a clear timeline is crucial. At this point, the expected effective date is 1 January 2026.
The full legislative text can be found here: https://www.tweedekamer.nl/kamerstukken/detail?id=2025Z11344&did=2025D26059
