The Dutch Cybersecurity Act (NIS2): are you in scope, and what changes on 1 July 2026?
The Dutch Cybersecurity Act — the Netherlands' implementation of the European NIS2 directive — is about to take effect. The House of Representatives passed it on 15 April 2026; the government is aiming for 1 July 2026, and there is no transition period. Three questions decide what this means for you: are you in scope, what must you do, and how do you prove your security actually works?
Where things stand (June 2026)
First, the state of play, because there is a lot of confusion about it. NIS2 is the European directive; member states were supposed to have transposed it into national law back in October 2024, but the Netherlands missed that deadline. The Dutch implementation is called the Cyberbeveiligingswet (Cybersecurity Act). The steps so far:
- The House of Representatives passed the bill on 15 April 2026 (together with the related Critical Entities Resilience Act).
- The Senate is currently reviewing it; the committee reported in early June 2026, with the plenary vote to follow.
- The government is aiming for entry into force on 1 July 2026. A definitive date depends on the Senate completing its process.
This is the detail that catches many organisations off guard: the obligations apply from the day the law takes effect. There is no one-year grace period. Anyone who only starts building once the law is live will be behind from day one. The preparation has to happen now, not after 1 July.
Is my organisation in scope?
The law uses two criteria together: sector and size. If you operate in a designated sector and you are medium-sized or large, you are in principle in scope. The rule of thumb for "medium-sized" is 50 or more staff, or more than €10 million in annual turnover (or balance sheet total). Some types of organisation are in scope regardless of size.
The designated sectors include energy, drinking and waste water, transport, banking and financial markets, healthcare, digital infrastructure, public administration, postal and courier services, waste management, the chemical and food industries, manufacturing of critical goods, digital service providers (cloud, data centres, online marketplaces, search engines) and research.
The law then distinguishes two categories, with practically the same substantive obligations but different supervision:
| Aspect | Essential entity | Important entity |
|---|---|---|
| Mainly who | Large organisations in the most critical sectors (e.g. energy, transport, healthcare, drinking water, digital infrastructure, government) | Medium-sized organisations in those sectors, plus organisations in the other designated sectors |
| Duty of care & reporting | Yes | Yes — substantively identical |
| Supervision | Proactive: the regulator may inspect without a specific trigger | Reactive: supervision mainly after an incident or signal |
| Maximum fine | Up to €10M or 2% of global annual turnover | Up to €7M or 1.4% of global annual turnover |
Not sure whether you are in scope? Don't write yourself off too quickly. Many organisations that don't see themselves as "critical infrastructure" — a SaaS supplier to healthcare, a regional transport company, a drinking-water supplier — are pulled in through their sector or their supply chain. When in doubt, the safe assumption is to prepare.
The three core obligations
Boiled down, the law comes to three obligations. They apply to both essential and important entities.
Duty of care
Carry out your own risk assessment and, based on it, take appropriate and proportionate technical and organisational measures. And demonstrate that those measures actually work.
Reporting obligation
Report a significant incident quickly: an early warning within 24 hours, followed by a fuller incident notification within 72 hours and a final report within one month.
Registration obligation
Register your organisation as an entity, so the regulator knows who falls under the law. Part of being demonstrably "on the radar".
Management responsibility
The management body must approve the measures, oversee them and undergo training. Board-level involvement is no longer a formality but a legal requirement.
What the duty of care means technically
The duty of care is deliberately principle-based: the law doesn't prescribe exact measures, but expects you to reach appropriate choices based on your own risk assessment. The NIS2 directive does list the areas that must be covered, including:
- Risk analysis and information security policy
- Incident handling and detection
- Business continuity, backup and crisis management
- Supply chain security
- Security in the acquisition, development and maintenance of systems — including vulnerability handling and disclosure
- Policies to assess the effectiveness of the measures
- Access control, encryption and multi-factor authentication
Note that second-to-last point: assessing the effectiveness of your measures is itself an explicit requirement. Having a policy is not enough; you have to be able to show it holds up in practice. That is exactly where paper compliance and real resilience part ways.
Where does a penetration test fit in?
The Cybersecurity Act never uses the word "penetration test" literally — and neither does the NIS2 directive. That is not a loophole but an instruction: you have to demonstrate that your verification method is appropriate. And for the technical measures, an independent penetration test is the standard and strongest piece of evidence. A good pentest report shows in black and white:
- Which vulnerabilities actually existed at the time of testing
- Which of them were genuinely exploitable — not just theoretical
- Which measures demonstrably work, and which don't
- Which findings were resolved after remediation (the retest)
That covers precisely the "assess the effectiveness" part of the duty of care. It doesn't replace the broader NIS2 programme (governance, reporting chain, supply chain), but it is the piece of evidence that's hardest to substitute: an external party that tried to get in, and recorded the result. Want the basics first? Read what a penetration test actually is; for the budget side, see what a penetration test costs.
If you work in healthcare or government, NIS2 runs alongside existing frameworks. For healthcare it aligns with NEN 7510; for municipalities with ENSIA and the BIO — we wrote about that in NIS2 and municipalities. The underlying requirement is the same: prove that the measures work.
What you can do now — before 1 July
No panic, but no delay either. A workable first move:
- Determine whether you are in scope. Test your sector and size against the criteria. When in doubt: assume yes.
- Make a current risk assessment. Which systems are critical, which threats are relevant, which measures belong to them?
- Set up the reporting chain. Who gets called during an incident, who files the report, within what deadline? Rehearse it once.
- Gather evidence that the technology works. Plan a penetration test on your most critical application(s) and keep the report and the retest statement.
- Involve the board formally. Record decision-making and training on cyber risk — that's now a legal requirement, not a nice-to-have.
- Look at your supply chain. Ask your critical suppliers for their pentest reports or certifications.
NIS2 moves the bar from "do you have a policy?" to "can you prove it works?". Those who build that evidence now are ready on 1 July — those who wait for the regulator to call choose the most expensive route.
Conclusion
The Dutch Cybersecurity Act is neither a tick-box exercise nor a distant concern. It affects a broad group of medium-sized and large organisations, is expected to take effect on 1 July 2026 with no transition period, and firmly shifts responsibility to the board. The duty of care asks not only for measures, but for evidence that they work.
Within that whole, a penetration test is not an end in itself, but it is the most concrete piece of evidence for the technical side — and one of the fastest first steps you can take. Not sure where to start? A free 30-minute intake gives clarity, with no obligation.
NIS2 evidence that holds up.
A manual penetration test on your critical applications, with a report and retest statement you can use directly towards the regulator. Fixed price, retest included.
Schedule a free intake →