In recent years, developments such as the COVID-19 pandemic, the war in Ukraine, cyber threats, and the impacts of climate change have increasingly strained the security of society and the economy. In response to these challenges, the European Union has been working on the NIS2 directive since 2020. The directive aims to enhance the digital and economic resilience of EU member states.
The NIS2 directive focuses on risks to network and information systems, including cybersecurity risks. It is intended to promote greater harmonisation across Europe and to raise cybersecurity standards among businesses and organisations. The NIS2 directive succeeds the first NIS directive, which was transposed into Dutch law in 2016 as the ‘Wet beveiliging netwerk- en informatiesystemen (Wbni)’.
The NIS2 directive is currently being transposed into Dutch legislation through the Cyberbeveiligingswet (Cbw). Once adopted, the Cyberbeveiligingswet will replace the existing Wbni, which implemented the first NIS directive.
NIS2 directive criteria
Organisations automatically fall under the NIS2 directive and, by extension, the Cyberbeveiligingswet if they operate in designated sectors and meet specific criteria as ‘essential’ or ‘important’ entities. The term ‘automatically’ means that the directive does not allow member states to determine which organisations are covered. It also does not permit them to decide when the obligations take effect. The obligations of the Cyberbeveiligingswet and its subsidiary regulations will apply directly to these organisations as soon as the law enters into force.
