Under the NIS2 directive and the Cyberbeveiligingswet, the government sector is treated as a distinct category. The following government organisations fall under the Cyberbeveiligingswet:
- Ministries, including their agencies and services
- Provinces
- Municipalities
- Water authorities, via the Ministry of Infrastructure and Water Management (IenW)
The following government bodies are subject to the Cyberbeveiligingswet only if they meet all 4 criteria for government institutions. This is assessed on a case-by-case basis:
- Independent administrative bodies (for example, independent Dutch regulators, set up by law to oversee sectors impartially)
- Joint arrangements (formal arrangements between public authorities)
Unlike other sectors, the size criterion does not apply to the government sector. Instead, specific criteria determine whether an organisation qualifies as a government institution. These criteria automatically apply to all ministries, provinces, and municipalities. For independent administrative bodies and joint arrangements, it must be determined on an individual basis whether the criteria are met.
The criteria for government institutions and their interpretation can be found in the Explanatory Memorandum to the Cyberbeveiligingswet, Section 5.1.2.
What defines an organisation as a government institution?
An organisation is considered a government institution if it:
- Was established to meet the needs of general interest and does not have an industrial or commercial character.
- Has legal personality or is authorised by law to act on behalf of another legal entity.
- Is primarily financed by the state, regional authorities, or other public law bodies, or is subject to management supervision by these authorities or bodies, or has a governing, executive, or supervisory body whose members are appointed more than 50% by the state, regional authorities, or other public law bodies.
- Has the authority to take administrative or regulatory decisions affecting the rights of natural or legal persons in relation to the cross-border movement of persons, goods, services, or capital (e.g., decisions under the General Administrative Law Act).
For further clarification on how to interpret these criteria, see the Explanatory Memorandum to the Cyberbeveiligingswet, Section 5.1.2.
Exceptions for government organisations
The Cyberbeveiligingswet excludes government institutions whose primary activities involve:
- National security
- Public safety
- Defence
- Law enforcement (including the prevention, investigation, and prosecution of criminal offences)
This means the following are exempt from the NIS2 directive:
- Ministry of Defence
- Military Intelligence and Security Service (MIVD)
- General Intelligence and Security Service (AIVD)
- Public Prosecution Service
- Police
- Safety regions
However, the NIS2 directive does require that even exempt organisations aim for an equivalent level of resilience.
Organisations whose activities are incidentally related to national security, public safety, defence, or law enforcement fall under the directive.
Are you subject to the Cyberbeveiligingswet?
Organisations are responsible for determining whether they are covered by the Cyberbeveiligingswet. Based on interdepartmental coordination, a questionnaire has been developed to help organisations assess whether they fall under the Cyberbeveiligingswet (NIS2 directive) and whether they are classified as essential or important.
- Take the NIS2 Self-Assessment
- Or consult the Registration Obligation Flowchart, created by the NCSC.
