NIS2 / Cybersecurity Act

NIS2 is a European cybersecurity directive that the Netherlands is transposing into national law as the Cybersecurity Act (Cyberbeveiligingswet). The law is expected to take effect on 15 August 2026 and replaces the current Network and Information Systems Security Act (Wbni). IT-Checklist summarises the key points here, with concrete next steps via our ISO 27001 and NEN 7510 pages.

πŸ₯ Healthcare is one of the 18 critical sectors

The Cybersecurity Act applies to 18 designated sectors, including energy, drinking water, digital infrastructure and healthcare. Working in healthcare? Also see our NEN 7510 page β€” that standard specifically targets information security in healthcare and overlaps substantially with NIS2 obligations.

What does the law require?

  • Setting up and maintaining an information security risk management system.
  • Reporting serious cyber incidents to the NCSC within 24 hours (early warning) and 72 hours (full notification).
  • Directors are personally responsible for approving and overseeing cybersecurity policy.
  • Suppliers and the supply chain must be included in the risk analysis.

Practical first steps for SMEs

Even if the law doesn’t directly apply to you, it’s wise to start now: a risk analysis, an up-to-date security policy and an incident response plan are valuable for almost any organisation. Start with our free IT check to see where you currently stand.

Does the Cybersecurity Act (NIS2) apply to me?

The law applies to medium and large organisations (50+ staff or €10 million+ turnover/balance sheet) in 18 designated critical sectors, including energy, drinking water, digital infrastructure, transport, government β€” and healthcare. Smaller healthcare organisations or suppliers to critical sectors may still be affected indirectly, for example as a contractor.

What is the NIS2 fine if I don't comply?

It depends on your classification. Essential entities risk a fine of up to €10 million or 2% of global annual turnover (whichever is higher). Important entities β€” including many SMEs and healthcare organisations β€” risk up to €7 million or 1.4% of annual turnover. Repeated or serious violations can also lead to personal liability for directors.

What's the difference between 'essential' and 'important' entities?

Essential entities (larger organisations in the most critical sectors, such as energy and digital infrastructure) face stricter, proactive supervision. Important entities β€” including many healthcare organisations β€” are checked after the fact, but must meet the same duty of care and incident reporting requirements.

How many companies in the Netherlands does the law affect?

An estimated 10,000 organisations fall directly under the Cybersecurity Act. On top of that, an estimated 50,000 to 100,000 SMEs are affected indirectly, because as a supplier or chain partner of a NIS2-obligated organisation they also need to meet certain security requirements.

Is there an NIS2 checklist for SMEs?

A compact checklist to get started: (1) determine whether you fall under the law directly or via the supply chain, (2) register your organisation with the NCSC via mijn.ncsc.nl once possible, (3) carry out and document a risk analysis, (4) draft an information security policy with a clear owner on the board, (5) set up an incident reporting procedure (24-hour/72-hour), and (6) map your key suppliers and their security level.

When do I need to comply?

The Cybersecurity Act is expected to take effect on 15 August 2026. From that date, organisations must register with the NCSC (via mijn.ncsc.nl) and report cyber incidents. Don't wait until the last moment β€” setting up risk analyses and policy takes time.