Current schedule: entry into force in 2026
The European NIS2 directive has already been in force since early 2023, but each EU country must transpose the rules into national legislation. In the Netherlands, this is done through the Cyber Security Act (CBW). The Cyberbeveiligingswet effective date has now been postponed: the expected entry into force is in the second quarter of 2026. This means that organizations in the Netherlands can already start the NIS2 implementation now, so they will be ready when the law officially takes effect.
Why that extra time is no reason to wait
The Cybersecurity Act enactment may be a while away, but the requirements of NIS2 compliance require time and attention. This is because it emphasizes structural risk management, managerial accountability and collaboration within the chain. Whether you work at a municipality, healthcare institution, ICT service provider or SME: chances are your organization will soon be subject to the law or will have to comply as a supplier to NIS2 organizations.
What exactly is changing with the NIS2 enactment?
The advent of NIS2 will make cybersecurity a legal requirement. Important changes include:
- Administrative responsibility: administrators are personally responsible for cybersecurity.
- Duty to report: serious incidents must be reported within 24 hours.
- Supplier management: supply chain partners must demonstrate safe working practices.
- Policy requirement: organizations must document and maintain their security measures.
With the Cyber Security Act, these requirements will become legally binding in the Netherlands. Once the law is active, the regulator can impose fines on organizations that fail to meet NIS compliance.
The role of ISO 27001 in NIS2 implementation
Many organizations are already working with ISO 27001. This is a great advantage, as this standard closely matches the requirements of NIS2. A well-designed ISMS (Information Security Management System) helps with risk management, internal audits, policies and reporting - all components also required within NIS2.
An NIS2 consultant can help determine from ISO 27001 what additional measures are needed to become fully compliant with the Cybersecurity Act. This way you build on existing processes and avoid duplication of effort.
NIS2 Quality Mark: demonstrable reliability
In addition to legal compliance, there is also a need for practical evidence. The NIS2 Quality Mark (NIS2 QM) is a seal of approval for suppliers working with organizations covered by NIS2. This NIS2 quality mark demonstrates that your organization meets key information security and NIS2 cybersecurity requirements.
What you can do now: start with an NIS2 check
The NIS2 enactment seems a while away, but preparation takes time. By doing an NIS2 check now, you will know exactly where your organization stands and what steps are needed for NIS2 compliance.
The Cybersecurity Act is expected to take effect in the second quarter of 2026. Still, this is the time to start your NIS2 implementation. The sooner you start, the easier it is to meet the requirements of NIS2 and chain responsibility.
Our consultants conduct an NIS2 audit or NIS2 assessment and assist organizations with NIS2 implementation in the Netherlands - from baseline measurement to full compliance process. Want to know if your organization meets the requirements of the upcoming Cybersecurity Act? Schedule a free, no-obligation 45-minute consultation below.
