The Dutch House of Representatives has passed the Cybersecurity Act bill, finally anchoring the European NIS2 directive into national legislation.
The Dutch House of Representatives has passed the Cybersecurity Act. This law transposes the European NIS2 directive into national legislation. This makes the Netherlands significantly slower than Belgium, which, along with Croatia, was the only country to meet the imposed European deadline.
The EU required NIS2 to be transposed into a national legislative framework by October 2024. As a reminder: European directives only become valid in a member state after the local parliament has transposed them into national law.
With this approval, NIS2 is not yet in force in the Netherlands. This is expected to happen in a few months, after the Senate also grants its approval.
Measures and responsibility
From then on, Dutch organizations must meet the same cybersecurity requirements as Belgian ones. The key pillars of NIS2 are the same everywhere. Organizations are required to handle their digital security with due care and take the necessary measures. There is, however, a distinction in obligations between critical and important entities.
Also important is the focus on supply chain security for critical organizations, meaning companies that do not fall directly under NIS2 must still invest in cybersecurity. Finally, NIS2 places part of the responsibility for cybersecurity personally on directors, ensuring they are motivated to allocate the necessary resources.
