NIS2 Directive (Cyberbeveiligingswet, Cbw)

How did the Cyberbeveiligingswet come about?

Which government organisations are subject to the Cyberbeveiligingswet?

How can (government) organisations prepare for the Cyberbeveiligingswet?

What are the obligations under the Cyberbeveiligingswet?

Where can organisations turn for sector-specific queries, reports, or incidents?

The Cyberbeveiligingswet (Cbw) transposes the EU’s Network and Information Security Directive (NIS2) into Dutch law. The NIS2 Directive seeks to strengthen cybersecurity and resilience across critical sectors in EU member states. This improvement is necessary due to increasing digital dependence and rising threats.

The Cyberbeveiligingswet will enter into force once both the House of Representatives and the Senate have approved it. This is expected in Q2 2026, though the exact timing depends on the completion of the parliamentary process.

Although the NIS2 directive has been in force for EU member states since 16 January 2023, it does not apply directly to individual organisations in each country, as directives must first be transposed into national legislation. Accordingly, the directive is being transposed into Dutch law through the Cyberbeveiligingswet. Once adopted, the Cyberbeveiligingswet will replace the current ‘Wet beveiliging netwerk- en informatiesystemen (Wbni)’.

The Cyberbeveiligingswet imposes various obligations on organisations, subject to independent oversight. Read more about these requirements.

The legislation transposing the NIS2 directive into the Cyberbeveiligingswet consists of 3 components:

• The Cyberbeveiligingswet bill and its accompanying Explanatory Memorandum (Memorie van Toelichting).
• The Cyberbeveiligingsbesluit (Cbb), a general administrative order under the Cyberbeveiligingswet known as Algemene Maatregel van Bestuur (AMvB), along with its explanatory notes. The Cbb sets out further details of the Cyberbeveiligingswet, including the duty of care, registration requirements, and mandatory training for administrators. The Cbb applies to all sectors covered by the Cyberbeveiligingswet.
• Sector-specific ministerial regulations, which provide further detail on certain obligations outlined in the Cbb. For example, the Baseline Information Security for Government (BIO) specifies the duty of care for the government sector.

Cyberbeveiligingswet (Cbw): national legislation

On 4 June 2025, the bill for the Cyberbeveiligingswet, which implements the NIS2 directive, was submitted to the House of Representatives. This bill transposes the NIS2 directive into national law. Previous bills underwent public consultation, and the Council of State was asked for advice and feedback incorporated where possible.

The bill and accompanying documents are available in Dutch on the House of Representatives’ website.

Cyberbeveiligingsbesluit (AMvB Cbw)

From 28 February to 30 March 2025, there was an online public consultation on the draft Algemene Maatregel van Bestuur (AMvB) for the bill: the Cyberbeveiligingsbesluit (Cbb). The feedback from this consultation led to revisions to the Cbb texts. The revised texts have been submitted to the House of Representatives and the Senate for consideration and sent to the Council of State for advice.

View the draft AMvB: Cyberbeveiligingsbesluit.

Ministerial Regulation for the Cyberbeveiligingswet (Government Sector)

Government departments are currently developing their ministerial regulations under the Cyberbeveiligingswet. These will specify the duty of care and the threshold criteria for mandatory incident reporting. In the government sector, the duty of care will be defined in accordance with the Baseline Information Security for Government (BIO).

More information

Read about the origins of the Cyberbeveiligingswet, its obligations, or visit the FAQ section. If this doesn’t answer your question, please email cyberbeveiligingswet@minbzk.nl.