6 Dutch NIS2 Sector Supervisors: Which Competent Authority Governs Your Organisation Under the Cyberbeveiligingswet
The Netherlands missed the EU’s October 2024 transposition deadline by almost 18 months. On 15 April 2026, the Tweede Kamer voted to adopt the Cyberbeveiligingswet (CBW) — the Dutch law implementing EU Directive 2022/2555 (NIS2). The bill now awaits Senate confirmation, with entry into force targeted for 1 July 2026.
What makes the Dutch implementation distinctive is not the delay but a structural decision: the Netherlands declined to create a single central cybersecurity regulator. Supervisory responsibility flows to the most sector-competent existing authority. NCSC-NL coordinates, registers, and acts as the national CSIRT — but six specialist authorities will audit, inspect, and enforce.
This guide maps the sector-to-supervisor routing under the Cyberbeveiligingswet, explains how DORA displaces NIS2 for most Dutch financial entities, and sets out the enforcement powers each authority holds.
Who Falls Under the Cyberbeveiligingswet?
The CBW brings roughly 8,000 Dutch organisations into scope — up from approximately 1,000 under the previous Wbni framework. Coverage spans 18 sectors: energy, transport, banking, healthcare, digital infrastructure, water, food, waste management, manufacturing, aerospace, chemicals, postal services, and several more.
Two size thresholds determine whether an organisation is classified as an essential entity (essentiële entiteit) or an important entity (belangrijke entiteit):
| Classification | Employee threshold | Turnover + balance sheet | Maximum penalty |
|---|---|---|---|
| Essential entity | ≥ 250 employees | > €50M turnover AND > €43M balance sheet | €10M or 2% global turnover |
| Important entity | 50–249 employees | > €10M (but < €50M) turnover AND balance sheet | €7M or 1.4% global turnover |
| Micro/small (< 50 staff) | Generally exempt | — | — |
Size thresholds do not apply to these categories — they fall in scope regardless of headcount or revenue:
- Public electronic communications providers (telecoms)
- Trust service providers and DNS resolver operators
- Domain name registries and registration service providers
- Government entities (central and local, including municipalities and provinces)
- Cloud providers, data centre operators, managed service providers, and online marketplaces above the scale thresholds in Annex I
The essential vs important classification matters immediately: it determines which supervisory authority contacts you first, how frequently audits occur, and whether oversight is proactive or reactive. For a fuller analysis of who is in NIS2 scope across EU member states, the Directive’s Annex I and II sector lists are the authoritative reference.
The Three Pillars of CBW Compliance
The Cyberbeveiligingswet organises all obligations into three interlocking pillars. NCSC-NL sits at the centre of all three — as registration hub, incident reporting gateway, and CSIRT — even though sector supervisors hold enforcement authority.
Registratieplicht (Registration obligation): Every in-scope entity must register in the national entity register at mijn.ncsc.nl. Since October 2024, registration has been voluntary. Once the CBW enters into force, it becomes mandatory. Registration requires eHerkenning authentication and collects your organisation’s name, sector classification, contact details, and IP ranges. The NCSC portal then routes your record to the relevant sector supervisor automatically. Organisations that operate in multiple EU member states must register separately in each jurisdiction — there is no single EU-wide registration mechanism. For practical guidance on the NIS2 entity registration process, the NCSC self-assessment tool is the recommended starting point.
Meldplicht (Reporting obligation): Significant cybersecurity incidents must be reported in three stages: an early warning within 24 hours of becoming aware, a full incident notification within 72 hours, and a final report within 30 days. All reports go to NCSC-NL, which forwards them automatically to both the relevant CSIRT and the competent sector authority. The Article 23 incident notification framework applies across the EU; the Dutch CBW does not modify the timeline, though sector-specific thresholds for what constitutes a “significant incident” are being set via ministerial regulations.
Zorgplicht (Duty of care): Organisations must implement risk-proportionate security measures across the 10 domains listed in Article 21 of the directive: risk assessment, incident response, business continuity, supply chain security, access control, cryptography, vulnerability management, and others. The CBW requires the management board to approve and actively oversee these measures, with mandatory cybersecurity training — covering risk types, consequence assessment, and risk management methodology — for all board members. Board members who fail to meet this obligation face personal liability under the CBW.
Sector-to-Supervisor Routing: The Complete Authority Table
No other NIS2 compliance resource currently maps the Dutch supervisory structure at this level of granularity. The table below reflects the CBW as adopted by the Tweede Kamer on 15 April 2026, the existing Wbni supervisory assignments, and the RDI and NCTV guidance published to date. Sector-specific ministerial regulations are still being finalised; confirm your exact assignment via the NCSC self-assessment tool at ncsc.nl before the CBW enters into force.
| Sector | Supervisory authority | Abbrev. |
|---|---|---|
| Digital infrastructure (DNS, internet exchanges, data centres, CDN) | Rijksinspectie Digitale Infrastructuur | RDI |
| Managed ICT services / ICT-managed service providers | RDI | RDI |
| Cloud computing providers | RDI | RDI |
| Energy (electricity, gas, oil, district heating) | RDI | RDI |
| Aerospace and research institutions | RDI | RDI |
| Central government and public administration | RDI | RDI |
| Municipalities and provinces (local authorities) | RDI | RDI |
| Manufacturing, chemicals, postal services, waste management | RDI | RDI |
| Water boards (waterschappen) | Inspectie Leefomgeving en Transport | ILT |
| Transport (road, rail, air, maritime, ports) | ILT | ILT |
| Drinking water and wastewater | ILT | ILT |
| Healthcare (hospitals, labs, pharmaceutical) | Inspectie Gezondheidszorg en Jeugd | IGJ |
| Banking and credit institutions | De Nederlandsche Bank* | DNB |
| Financial markets infrastructure | Autoriteit Financiële Markten* | AFM |
| Food production and distribution | Nederlandse Voedsel- en Warenautoriteit | NVWA |
* Financial entities subject to DORA (Regulation EU 2022/2554) are primarily regulated under DORA by DNB and AFM. See the DORA section below for how this affects CBW obligations in practice.
Two patterns stand out in this structure. First, RDI is the default supervisor for the majority of CBW-covered entities — digital infrastructure, energy, government, manufacturing, aerospace, research, and any sector without a specialist regulator. Second, the financial sector routing is more complex than the table suggests, because DORA’s lex specialis carve-out changes what CBW supervision means for banks and investment firms in practice.
RDI in Focus: The Default Supervisor for Most Dutch Entities
The Rijksinspectie Digitale Infrastructuur is the Netherlands’ regulator for digital infrastructure resilience and digital rights. It is not a new creation for NIS2: RDI already supervised Wbni compliance for operators of essential services in digital infrastructure. Under the CBW, its mandate expands substantially — absorbing government entities at all levels, energy operators, managed service providers, aerospace, and research institutions.
For Dutch organisations in the RDI cluster, several practical points matter:
- Self-assessment tool: RDI launched an NIS2 self-assessment tool in October 2023, over a year before the EU transposition deadline. Organisations can use this now to benchmark their readiness before mandatory registration.
- First-year approach: RDI has publicly stated it intends to spend the first year of CBW enforcement understanding the sectors under its supervision before moving to active financial penalty action.
- Ex ante vs ex post: Essential entities receive proactive supervision — RDI can initiate compliance audits and security scans without waiting for an incident. Important entities receive reactive supervision — RDI intervenes primarily after an incident, complaint, or detected non-compliance signal.
- Enforcement toolkit: When violations are found, RDI can issue binding instructions, require mandatory security audits, impose administrative fines (boete), and apply compulsory performance orders (last onder dwangsom). In serious cases, managers can be temporarily prohibited from exercising their functions.
The government-entities expansion is one of the most distinctive Dutch choices under CBW (see the “What’s distinctly Dutch” section below). Approximately 342 municipalities, 12 provinces, and 21 water boards fall within scope — a scale of coverage that goes well beyond the EU minimum requirement.
Financial Entities and DORA: The Lex Specialis Carve-Out
Recital 28 of Directive 2022/2555 establishes that Regulation (EU) 2022/2554 — the Digital Operational Resilience Act (DORA) — operates as a lex specialis instrument for financial services. Where DORA’s ICT risk management and incident reporting requirements apply, they replace the equivalent NIS2 obligations. Article 2(5) of the NIS2 Directive makes this explicit: Member States shall not apply the NIS2 risk management and incident reporting chapters to financial entities covered by DORA.
DORA entered into force on 17 January 2025, with DNB and AFM as the designated Dutch supervisory authorities from that date. The practical consequences for Dutch financial organisations are operationally significant:
| Dimension | NIS2 / CBW | DORA (lex specialis) |
|---|---|---|
| Initial incident notification | 24 hours | 4 hours |
| Full incident report | 72 hours | Tiered by incident severity |
| Third-party / supply chain | Article 21(2)(d) | DORA Articles 28–30 (more prescriptive) |
| Dutch supervisor (essential) | DNB under CBW | DNB under DORA |
| Dutch supervisor (important) | AFM under CBW | AFM under DORA |
| ICT third-party register | Not required by NIS2 | DORA Register of Information (ROI); AFM required submission by 22 March 2026 |
Banks, investment firms, payment institutions, insurers, pension funds, electronic money institutions, and crypto-asset service providers should treat DORA as their primary cybersecurity regulation and CBW as secondary. Where DORA covers a requirement with at least equivalent specificity, DORA governs. Where DORA is silent — scope determination, NCSC-NL registration, CSIRT notification channels, cooperation group participation — the CBW still applies.
This creates a dual-framework reality. A Dutch bank satisfies its Article 21 ICT risk management obligations through DORA’s ICT risk framework (DORA Articles 5–15) rather than the CBW’s Zorgplicht. But that same bank must still register with NCSC-NL, route significant incidents through the NCSC reporting portal, and comply with the Dutch incident reporting gateway even though DORA’s more stringent 4-hour notification window applies once the incident qualifies as major. For supply chain security documentation, financial entities should build their supplier risk register to DORA Articles 28–30 specifications, which are stricter than NIS2 Article 21(2)(d) — satisfying DORA automatically satisfies the NIS2 equivalent.
Enforcement Powers and Penalties Under the CBW
All six sector supervisors operate under the same CBW penalty regime, calibrated by entity classification:
| Entity type | Maximum fine | Alternative basis |
|---|---|---|
| Essential entity | €10,000,000 | 2% of global annual turnover (whichever is higher) |
| Important entity | €7,000,000 | 1.4% of global annual turnover (whichever is higher) |
| Public sector bodies | No financial penalty | Corrective orders + parliamentary accountability |
Beyond financial sanctions, supervisors can require mandatory audits, issue binding corrective instructions, and — in serious cases — temporarily prohibit individual managers from exercising their functions. This personal accountability provision applies to board members who fail to meet the training and oversight obligations the CBW imposes on management. The training requirement is not symbolic: certificates must cover risk types, consequence assessment, and risk management methodology, and must be in Dutch or English.
The supervision intensity differs by entity class in a way that directly affects when enforcement action is likely. Essential entities face ex ante oversight from their sector supervisor — meaning proactive compliance checks can occur at any time, triggered by the supervisor’s own risk-based scheduling. Important entities face ex post oversight — supervisors intervene primarily after an incident or non-compliance signal. For entities near the essential/important threshold, the classification decision therefore affects not just the penalty ceiling but the probability of encountering a supervisor before an incident occurs.
What’s Distinctly Dutch Under the Cyberbeveiligingswet
The CBW goes beyond the EU minimum in several ways that organisations with Dutch operations need to account for specifically:
Government entities fully in scope. The Netherlands includes all municipalities, provinces, and water boards within CBW scope — approximately 375 local authorities that the EU NIS2 Directive did not mandate to include. No other major EU economy has taken this step at national level. This means around 342 municipalities and 21 water boards must register, appoint a contact person, implement Zorgplicht measures, and report incidents through NCSC-NL, regardless of their IT budget or staff size.
Positive cybersecurity culture obligation. The CBW contains an explicit obligation to foster a positive cybersecurity culture within the organisation. This is not a standard EU NIS2 requirement. In practice, it reinforces the board training obligation and connects Zorgplicht to HR and change management — supervisors can ask for evidence of awareness training and cultural initiatives, not just technical controls.
Product and service exclusion authority. Under Article 18 of the Cyberbeveiligingsbesluit (the implementing decree), sector ministers can mandate the exclusion of specific vendors or products from critical network segments on national security grounds. This gives the Netherlands a legal basis for supply chain restrictions that goes beyond what the NIS2 Directive itself provides, and aligns with the broader Dutch approach to digital sovereignty.
Parallel CER transposition. The Wet weerbaarheid kritieke entiteiten (Wwke) — the Dutch transposition of the Critical Entities Resilience (CER) Directive — was passed by the Tweede Kamer simultaneously with the CBW on 15 April 2026. Entities designated as critical under the CER framework face dual obligations: physical resilience measures under Wwke and cybersecurity measures under CBW. Organisations in energy, transport, banking, healthcare, water, digital infrastructure, and food distribution should assess whether they are also critical entities under Wwke.
CBW Timeline: Where the Law Stands in May 2026
The Cyberbeveiligingswet has been navigating through the Dutch parliamentary process since June 2025. For compliance planning purposes, the current position is:
- 17 October 2024: EU NIS2 transposition deadline (Netherlands missed)
- 7 May 2025: European Commission issued a reasoned opinion for non-compliance
- 2 June 2025: CBW bill submitted to Tweede Kamer
- October 2024 onwards: Voluntary registration open at mijn.ncsc.nl
- 15 April 2026: Tweede Kamer approved CBW (alongside Wwke)
- 2 June 2026: Eerste Kamer committees (Digitalisation + Justice & Security) input deadline
- 1 July 2026 (expected): Entry into force via royal decree (koninklijk besluit)
Entry into force is by royal decree — different provisions may activate on different dates. Until the CBW is formally in force, the existing Wbni remains applicable to organisations currently within its scope. For those outside the current Wbni scope who will fall under CBW, the six-month grace period following entry into force is the practical compliance window before enforcement begins.
Organisations that register voluntarily now at mijn.ncsc.nl gain two advantages: they establish their sector-supervisor relationship before the deadline pressure, and they receive NCSC notifications about draft ministerial regulations that will define sector-specific requirements. Given that the Eerste Kamer committees submitted their questions on 19 May 2026, a Senate vote in late June and royal decree publication in early July 2026 is plausible but not certain.
Frequently Asked Questions
Do I register with NCSC-NL or directly with my sector supervisor?
Registration is always with NCSC-NL via mijn.ncsc.nl — not directly with RDI, IGJ, or ILT. NCSC-NL forwards your registration data to the relevant sector supervisor automatically. You do not need to contact your sector supervisor separately for registration purposes.
My organisation operates in multiple EU countries. Do I register in the Netherlands?
Yes, if you have an establishment in the Netherlands and operate in a covered sector. There is no single EU-wide CBW registration; Dutch-established entities must register with NCSC-NL regardless of where they registered in other member states. Multi-country operators should check each national framework for jurisdiction-specific requirements.
Our company has fewer than 50 employees. Are we exempt?
Generally yes, with important exceptions. If you provide public electronic communications, trust services, DNS resolution, or domain name registration, size does not exempt you. If you are a government entity, you are in scope regardless of size. If you are specifically designated by your sector minister as a critical provider, you may also be included despite the size threshold.
When does the Wbni stop applying?
The Wbni remains in force until the CBW’s entry into force date. On the date the CBW enters into force (expected 1 July 2026), the Wbni is repealed and replaced. Organisations currently supervised under the Wbni continue under their existing sector supervisor — RDI, DNB, ILT, or IGJ — without interruption.
How does the CBW relate to GDPR?
The CBW and GDPR are separate legal frameworks with different scopes. GDPR governs personal data processing; CBW governs network and information system security. Incident reporting obligations overlap where a cybersecurity incident also constitutes a personal data breach: such incidents must be reported to both NCSC-NL (under CBW) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours. A single incident may trigger both notification tracks simultaneously.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- EU Directive 2022/2555 (NIS2), Recital 28, Article 2(5), Article 26, Articles 32–33, Article 36 — EUR-Lex
- Cyberbeveiligingswet — NCSC-NL official guide — ncsc.nl/cyberbeveiligingswet-nis2
- Cyberbeveiligingswet FAQ — RDI — rdi.nl
- Cyberbeveiligingswet (36.764) legislative record — Eerste Kamer der Staten-Generaal
- CBW Questions & Answers — NCTV — nctv.nl
- NIS2 implementation in the Netherlands — Eversheds Sutherland — eversheds-sutherland.com
- NIS2 implementation in the Netherlands — Taylor Wessing — taylorwessing.com
- NIS2 implementation in the Netherlands — Ploum — ploum.nl
