On Wednesday, 15 April 2026, the Dutch Parliament approved the draft Cybersecurity Act (Cyberbeveiligingswet, “Cbw”), which implements the EU NIS2 Directive in the Netherlands. This approval has been long awaited and marks the first major development in the Dutch NIS2 implementation process since the summer of 2025, following an enduring period of legislative delay.
NIS2 in short
NIS2 applies to essential and important entities operating in sectors such as energy, transport, healthcare, digital infrastructure, manufacturing and certain digital services. It introduces far‑reaching obligations, including cybersecurity risk‑management measures, governance and accountability requirements, mandatory incident reporting, and registration with national authorities. Management bodies may be held personally accountable for non‑compliance, and enforcement authorities are granted supervisory and sanctioning powers.
Key features of the Cybersecurity Act
The Cbw generally aligns with NIS2 and therefore, for the most part, does not materially deviate from the Directive. As a result, organisations that have already begun preparing for NIS2 compliance in other EU jurisdictions will find the applicable requirements largely familiar.
That said, we believe that two amendments deserve special attention: Articles 21 and 21a Cbw.
Article 21 Cbw implements Article 21 NIS2, which sets out the cybersecurity risk management measures applicable to essential and important entities. In the original legislative proposal, the government included a power (set out in Article 21(5) Cbw) to introduce additional cybersecurity requirements, both sector‑specific and of a general nature, by way of secondary legislation (general administrative order, “AMvB”). This provision would have allowed the government to impose further obligations without prior approval by Parliament and the Senate.
In the version of the bill approved by Parliament on 15 April, this power has been amended to require that any additional measures adopted pursuant to Article 21(5) be submitted to Parliament and the Senate at least four weeks before they are submitted in next phase of the legislative process. This amendment strengthens the statutory basis of such measures and introduces an additional democratic safeguard with respect to any supplementary cybersecurity obligations imposed on essential and important entities.
Another notable amendment is the addition of Article 21a Cbw. With Article 21a, Parliament has proposed to move the minister’s power to require essential and important entities to exclude certain suppliers from critical parts of their network and information systems from secondary legislation (a general administrative order, or “AMvB”) directly into the Cbw itself. This decision significantly elevates the legal status of this intervention power by securing it in formal legislation.
In particular, Article 21a will empower the competent minister, where necessary for the protection of national security, to prohibit entities from engaging suppliers for their network and information systems that:
- pose a direct national security risk; or
- have close ties to, or are under the influence of, states or entities posing such a risk.
At the same time, Parliament has proposed to include safeguards to prevent political arbitrariness and service disruptions. For instance, a ban may only be imposed as a last resort, where technical, operational or organisational risk‑mitigation measures are not reasonably available or sufficient. Additionally, in order to safeguard continuity of the entity’s services, a transition period will be granted for phasing out existing products or services.
Entities subject to a supplier ban will have access to standard administrative objection and appeal procedures. Notably, Article 21a does not apply to providers of public electronic communications networks or services (PECNs/PECSs), which remain subject to sector-specific legislation such as, inter alia, the Dutch Telecommunications Act. Article 21a will sit next to the ICT supply chain framework in the proposal for revision of the Cybersecurity (CSA2), potentially resulting in parallel powers of the Netherlands and the European Commission to exclude high-risk vendors. For more information on this topic see the article here.
Parliamentary motions
In addition to amendments to the bill itself, Parliament adopted several motions alongside the Cbw. While motions are not legally binding and do not create direct obligations, they often drive future policy, secondary legislation and enforcement priorities.
Key adopted motions include:
- a request to strengthen the information position of mayors and chairs of safety regions in the event of cyber incidents affecting public order, including by creating a legal basis for information sharing where necessary;
- a request for the government to examine how threat intelligence and lessons learned can be better shared within supply chains, with particular attention to enabling smaller companies to benefit from such exchanges; and
- a request to ensure, when drafting enforcement policies and secondary legislation, that no more than one punitive sanction is imposed under the Cbw for the same facts and the same protected interest.
Next steps & expectations
The bill will now be submitted to the Dutch Senate (Eerste Kamer) that will decide how it will handle the bill, including whether (and how) a written preliminary examination will take place. More clarity on the legislative timeline is expected shortly thereafter.
The government continues to indicate that formal adoption in Q2 2026 remains the target. If the Senate completes its review before the end of Q2, entry into force could, in theory, follow relatively quickly. Organisations potentially in scope should therefore continue (or accelerate) their NIS2 readiness efforts, paying close attention not only to operational cybersecurity measures but also to governance, supplier management and incident‑response procedures.
For further information, please contact:
Puck van den Bosch, Bird & Bird
puck.vandenbosch@twobirds.com
