NIS2 Netherlands: The CBW’s 3 Compliance Pillars, mijn.ncsc.nl Registration Steps, and Which Regulator Oversees Your Sector
The Netherlands was among the last EU member states to formally approve NIS2 legislation. After missing the October 2024 transposition deadline by 18 months — drawing a European Commission reasoned opinion in May 2025 — the Dutch parliament passed the Cyberbeveiligingswet (CBW) on 15 April 2026. Entry into force is expected in Q2 2026, bringing approximately 8,000 Dutch organisations under new cybersecurity obligations for the first time.
The expansion from the predecessor framework is substantial. The Wbni covered roughly 1,000 entities. The CBW captures 18 sectors and eight times as many organisations — including cloud providers, managed service providers, and large food manufacturers who had no prior NIS2 exposure.
What distinguishes the Dutch implementation from most other member states is its distributed enforcement model: five sector-specific regulators share supervisory responsibility, and your obligations, incident reports, and audit exposure depend on which industry your organisation operates in. Getting the right regulator and the right registration portal identified from day one avoids the most common compliance misstep.
This guide covers four things: whether your organisation falls under the CBW and as which entity type; what the three legal obligations (Registratieplicht, Meldplicht, and Zorgplicht) actually require; how to register step by step on mijn.ncsc.nl including the specific authentication level you need; and which of five regulators oversees your sector and what that means for your audit exposure.
Is Your Organisation Covered by the Cyberbeveiligingswet?
The CBW applies to entities meeting two conditions simultaneously: they operate in one of 18 designated sectors, and they exceed specified size thresholds. An organisation that qualifies on size but operates outside a covered sector is not in scope — and vice versa.
Two tiers, two threshold sets
| Category | Dutch term | Size threshold |
|---|---|---|
| Important entity | Belangrijke entiteit (BE) | ≥ 50 employees, OR annual turnover > €10M, OR balance sheet total > €10M |
| Essential entity | Essentiële entiteit (EE) | > 250 employees, AND net turnover > €50M, AND balance sheet total > €43M |
Important entities face proportionate obligations with reactive supervision — audits triggered by incidents or complaints. Essential entities face stricter proactive conformity assessments and the higher penalty ceiling. The thresholds use AND logic for essential entities: all three conditions must apply simultaneously.
The 18 sectors
Annex I (11 sectors of high criticality): energy, transport, banking, financial markets infrastructure, healthcare, drinking water, digital infrastructure, ICT services management (B2B), wastewater, public administration, and space.
Annex II (7 other critical sectors): digital providers, postal and courier services, waste management, chemicals, food production and distribution, research, and manufacturing.
In the Dutch context, this captures organisations ranging from energy network operators and transport hubs to academic hospitals, cloud service providers, and large food manufacturers. Organisations that previously had no cybersecurity regulation exposure should check sector coverage carefully — the CBW’s sector definitions are broader than common perception of “critical infrastructure.”
Automatic essential entity status (size-independent)
Certain categories are classified as essential entities regardless of headcount or revenue: trust service providers, top-level domain (TLD) registries, DNS service providers, public electronic communications network providers, and government entities operating in listed sectors. If your organisation falls into one of these categories, the size thresholds in the table above do not apply.
What is new versus the Wbni
The CBW captures several categories not previously regulated: cloud computing providers, managed service providers (MSPs), managed security service providers (MSSPs), and online marketplace platforms. If your organisation provides IT services to other businesses, the CBW’s reach is likely broader than a first reading suggests.
Use the NIS2 Zelfevaluatie self-assessment tool available at ncsc.nl to confirm your entity classification. Your category — essential or important — determines which regulator oversees you, how intensively they will supervise, and what documentation you must hold ready.
For a deeper look at scope rules across EU member states, see our guide to NIS2 scope and entity classification.
The CBW’s Three Compliance Pillars
The Cyberbeveiligingswet structures compliance around three enforceable duties. Both essential and important entities must meet all three from the date the CBW enters into force.
| Pillar | Dutch term | Core obligation | Enforcement start |
|---|---|---|---|
| Registration | Registratieplicht | Register in the national entity register at mijn.ncsc.nl | Q2 2026 (CBW entry into force) |
| Incident reporting | Meldplicht | Notify CSIRT and supervisory authority within defined timeframes when significant incidents occur | Q2 2026 |
| Duty of care | Zorgplicht | Implement ten Article 21 security measures; board must approve and oversee | Q2 2026 |
These are not guidelines — they carry direct enforcement authority. Essential entities face proactive audits; important entities face reactive supervision. Penalties run up to €10M or 2% of global annual turnover for essential entities, and up to €7M or 1.4% for important entities. Beyond fines, supervisors hold powers of public naming and director disqualification.
The sections below treat each pillar as a compliance action list — what you need to have done, by when, and in what sequence.
Pillar 1 — Registratieplicht: How to Register on mijn.ncsc.nl
Registration creates the national entity register that supervisory authorities use to track compliance. The mechanics are simpler than most organisations expect — the preparation is where most of the time goes.
When the obligation begins
Voluntary registration at mijn.ncsc.nl has been available since 17 October 2024. The legal obligation takes effect when the CBW enters into force — expected Q2 2026 following parliamentary approval on 15 April 2026. Registering before the obligation begins creates no binding liability and positions your organisation ahead of the enforcement timeline. If the CBW enters force before your registration is complete, you are immediately non-compliant.
What you need before you log in
The registration form requests both network data and organisational data, which typically requires input from multiple departments. Prepare the following before opening the portal:
- Your sector classification under the CBW (essential or important; Annex I or II)
- IP address ranges and autonomous system numbers (from your network administrator)
- Contact details for your cybersecurity point of contact
- EU member states where your in-scope services are provided
- Management-level authentication credentials (see eHerkenning section below)
NCSC-NL provides a Checklist Cbw-registratie to help gather all data fields in advance. With data prepared, the registration form itself takes approximately 10 minutes to complete.
Step-by-step: registering on mijn.ncsc.nl
Step 1 — Confirm eligibility. Run the NIS2 Zelfevaluatie self-assessment tool at ncsc.nl before starting. Your entity type (essential or important) and primary sector determine which fields are mandatory and which regulator receives your submission.
Step 2 — Obtain eHerkenning EH2+. Logging into mijn.ncsc.nl requires eHerkenning at assurance level EH2+ — the business authentication system equivalent to DigiD for private individuals. Apply through any authorised provider listed at eherkenning.nl. Dutch government organisations may use Single Sign On Rijk instead. Allow time for the eHerkenning application process before the CBW takes effect.
Step 3 — Set up portal authorisation. The person within your organisation responsible for managing eHerkenning — or any signatory per your Chamber of Commerce registration — must grant mijn.ncsc.nl portal access. They can delegate this to a machtigingenbeheerder (permissions administrator), who then issues individual authorisations to specific staff members. Each set of credentials is individual and non-transferable.
Step 4 — Create your MijnNCSC account. Visit mijn.ncsc.nl, click the eHerkenning login option, and complete the authentication steps. A MijnNCSC administrator must add your user account before you can submit a registration — coordinate this with your IT or compliance lead in advance.
Step 5 — Complete and submit the registration form. Enter your network and organisational data using the fields in the form. Multi-site organisations submit once per legal entity. If your organisation provides in-scope services across multiple EU member states, each national registration is separate — Dutch registration covers Dutch operations only; a separate submission is required in each additional member state where you provide services. This multi-country rule has limited exceptions for government entities, public communications providers, and internet exchange point operators.
Pillar 2 — Meldplicht: The Three-Tier Reporting Clock
The reporting obligation runs on a tiered timeline that starts the moment your organisation detects a significant incident. There is no “gather your facts first” grace period — the 24-hour clock begins at detection, not at determination.
The three reporting stages
| Stage | Deadline (from detection) | What to submit |
|---|---|---|
| Early warning | 24 hours | Notification that a significant incident has occurred; initial categorisation and known impact |
| Incident notification | 72 hours | Impact assessment, severity classification, response actions taken to date |
| Final report | 1 month | Full incident description, root cause analysis, remediation steps, lessons learned |
The 4-hour exception
Two categories face a tighter early-warning deadline: entities regulated under DORA (Digital Operational Resilience Act) — primarily financial sector entities — and operators of cross-border electricity networks. For these organisations, the early warning must reach the competent authority within 4 hours of detection. If your organisation is subject to DORA, treat DORA notification timelines as primary; both obligations apply simultaneously and the stricter requirement governs.
How reporting works in practice
The CBW uses a single submission portal. Filing via the NCSC’s incident reporting portal simultaneously notifies your sector CSIRT and the competent supervisory authority — one submission covers both recipients. This is a practical advantage over member states that require parallel filings to separate systems.
What triggers the obligation
Significant incidents are broadly those causing serious operational disruption to your services, substantial financial losses, or material damage to other organisations. Specific numerical thresholds are being finalised in sector-specific ministerial regulations. Practical indicators discussed in legal guidance include financial losses exceeding €500,000 or 5% of annual turnover, or incidents involving trade secret exposure. Until sector-specific thresholds are formally adopted, apply a conservative interpretation: when the severity is unclear, report early and provide additional detail in the 72-hour follow-up.
Voluntary reporting of non-significant incidents and near-misses is explicitly encouraged. NCSC-NL treats near-miss intelligence as valuable for national threat situational awareness.
For a detailed breakdown of Article 23 notification mechanics including what constitutes a reportable incident across different sectors, see our guide to NIS2 incident notification requirements.
Pillar 3 — Zorgplicht: The 10 Article 21 Security Measures
The duty of care requires your organisation to implement appropriate and proportionate technical, operational, and organisational measures across ten domains defined in Article 21(2) of the NIS2 Directive (EU) 2022/2555.
| Article 21(2) | Measure category | What it covers |
|---|---|---|
| (a) | Risk analysis and information security policy | Documented risk assessment methodology; organisational security policy |
| (b) | Incident handling | Detection procedures, escalation paths, incident response plan |
| (c) | Business continuity | BCP, disaster recovery plan, crisis management procedures |
| (d) | Supply chain security | Supplier risk classification; contractual security obligations for direct suppliers |
| (e) | Security in network/system acquisition and maintenance | Patch management, change control, secure development practices |
| (f) | Effectiveness assessment | Policies and procedures to assess cybersecurity measure effectiveness |
| (g) | Cyber hygiene and training | Staff cybersecurity training programme; awareness policies |
| (h) | Cryptography and encryption | Cryptographic controls policy; encryption standards |
| (i) | HR security, access control, and asset management | Joiners/movers/leavers process; least-privilege access; asset inventory |
| (j) | Multi-factor authentication and secure communications | MFA policy; secure communications channels |
The board’s role is not optional
Board members cannot delegate Zorgplicht to IT. The CBW requires management bodies to formally approve the organisation’s cybersecurity risk management measures and to oversee their implementation. This is a governance-level obligation — the board signs off on the security programme, not just the CISO.
There is also a training obligation: management bodies must complete cybersecurity training within two years of the CBW entering into force. This provision makes board-level cyber literacy a legal requirement in the Netherlands, not a governance best practice.
Proportionality in practice
“Appropriate and proportionate” means controls must match your actual risk profile. A small software company and a critical infrastructure operator both implement all ten measures — but the depth, sophistication, and documentation burden differs materially. Supervisory authorities assess proportionality against sector risk, entity size, and the likelihood and severity of plausible incidents.
Recognised compliance frameworks
Two pathways are used to demonstrate Zorgplicht compliance in the Netherlands. ISO/IEC 27001:2022 certification is broadly accepted as evidence of systematic security management — a certificate does not replace CBW compliance, but significantly reduces the documentation gap. The CBW Control Framework from the Dutch Audit Service (Auditdienst Rijk) is purpose-built for CBW audits and maps directly to the CBW article structure. Essential entities facing proactive conformity assessments should expect examiners to use this framework.
The Cyberbeveiligingsbesluit (Cbb) — a general administrative order issued under the CBW — further elaborates the Zorgplicht requirements, particularly risk management specifics and documentation standards.
For a practical starting point on Article 21 risk assessment documentation, see our guide to NIS2 risk assessment requirements.
Which Regulator Supervises Your Sector
Rather than establishing a single national cyber authority, the Netherlands distributes CBW supervision across five existing sector regulators. Your supervisory authority depends on which sector your organisation primarily operates in — and it also determines to whom your 24-hour incident early warning is routed.
| Regulator | Full name | Sectors supervised under CBW |
|---|---|---|
| NCSC-NL | Nationaal Cyber Security Centrum | National CSIRT and entity register for all sectors; direct supervisory authority for certain public administration entities; coordinates cross-sector threat intelligence |
| RDI | Rijksinspectie Digitale Infrastructuur | Digital infrastructure (DNS providers, TLD registries, internet exchange points); managed services (MSPs, MSSPs); cloud computing; domain name registration services |
| ILT | Inspectie Leefomgeving en Transport | Transport sector (aviation, maritime, rail, road freight); water sector (drinking water, wastewater) |
| DNB | De Nederlandsche Bank | Banking; financial market infrastructure; credit institutions; payment system operators |
| AFM | Autoriteit Financiële Markten | Financial markets; investment platforms; trading venues; payment institutions not falling under DNB |
| IGJ | Inspectie Gezondheidszorg en Jeugd | Healthcare providers (hospitals, clinics, specialist care); pharmaceutical manufacturers; healthcare IT system providers |
How supervision works in practice
Your sector regulator receives your incident reports (routed automatically via mijn.ncsc.nl), conducts compliance assessments, and holds enforcement authority over your organisation. NCSC-NL operates in parallel as the national CSIRT, receiving copies of all incident reports and providing threat intelligence regardless of which sector regulator is your primary authority.
Proactive versus reactive supervision
Essential entities are subject to proactive conformity assessments — regulators audit your security measures without waiting for an incident to occur. This means essential entities should have documentation ready from the CBW’s entry into force date, not assembled reactively once a regulator makes contact.
Important entities face reactive supervision: audits are triggered by incidents, complaints, or specific indicators of non-compliance identified by the regulator. This does not mean important entities face lower compliance obligations — the Zorgplicht measures apply equally. It means the audit trigger is different.
Enforcement tools available to sector regulators
Supervisory authorities hold three categories of enforcement action:
- Financial penalties: essential entities face fines up to €10,000,000 or 2% of total worldwide annual turnover (whichever is higher); important entities up to €7,000,000 or 1.4% of global turnover
- Public disclosure: a regulator may publish the name of a non-compliant organisation — a reputational sanction that carries significant weight in business-to-business sectors
- Director disqualification: personal liability provisions allow management board members to be barred from holding management roles, making cybersecurity governance a personal legal exposure for directors
Your 90-Day CBW Readiness Action Plan
The table below organises readiness actions by role and timeframe. Use it as a starting framework — sequence may vary depending on your entity type and sector.
| Timeframe | Action | Owner |
|---|---|---|
| Now | Run the NIS2 Zelfevaluatie at ncsc.nl to confirm entity type and sector classification | Compliance Officer |
| Now | Download the Checklist Cbw-registratie from ncsc.nl; collect all network and organisational data fields | CISO + IT |
| Now | Confirm eHerkenning EH2+ access is available or initiate application at eherkenning.nl | IT / Procurement |
| 30 days | Complete gap analysis against all 10 Article 21(2) measures using the CBW Control Framework | CISO |
| 30 days | Identify the sector regulator with authority over your organisation (use table above) | Compliance Officer |
| 60 days | Register at mijn.ncsc.nl (voluntary registration open now; mandatory from CBW entry into force) | Compliance Officer + IT |
| 60 days | Document incident detection and 24-hour notification procedure; test dual-reporting path via mijn.ncsc.nl | CISO + Legal |
| 90 days | Board briefing: present Article 21 programme for formal approval; schedule management training (2-year legal deadline) | Board + CISO |
| 90 days | Launch internal audit against CBW Control Framework; address highest-priority gaps | Compliance Officer |
For a full article-by-article checklist aligned to the CBW’s obligations, see our NIS2 compliance checklist.
Key Takeaways
- The CBW was approved by the Dutch parliament on 15 April 2026 and enters into force in Q2 2026 — approximately 8,000 organisations across 18 sectors are newly in scope.
- Three enforceable duties apply to both essential and important entities: Registratieplicht (register on mijn.ncsc.nl), Meldplicht (report incidents within 24h/72h/1 month), and Zorgplicht (implement 10 Article 21 security measures with board oversight).
- Registration at mijn.ncsc.nl requires eHerkenning at assurance level EH2+ — obtain this before the CBW takes effect.
- Incident reports flow to both your sector CSIRT and supervisory authority via a single mijn.ncsc.nl submission; DORA-regulated entities and cross-border electricity operators face a 4-hour early warning rather than 24 hours.
- Five sector regulators share CBW supervisory authority: RDI (digital infrastructure/managed services), ILT (transport/water), DNB (banking), AFM (financial markets), IGJ (healthcare).
- Essential entities face proactive conformity assessments from day one; important entities face reactive supervision triggered by incidents or complaints.
Frequently Asked Questions
Does the CBW apply to small businesses?
Generally no. The size thresholds (minimum 50 employees or €10M turnover for important entities) exclude most micro and small enterprises. Exceptions exist for trust service providers, DNS providers, TLD registries, and public electronic communications providers, which fall under the CBW regardless of size.
Can I register on mijn.ncsc.nl before the CBW enters into force?
Yes. Voluntary registration has been available since 17 October 2024. Early registration creates no binding obligation but reduces the compliance gap when the CBW takes effect, and gives your IT team time to work through any eHerkenning authorisation issues without time pressure.
My organisation operates across multiple EU countries. Do I need to register in each?
Yes, for each member state where you provide in-scope services. Dutch registration covers Dutch operations only. Multi-national organisations providing managed services or digital infrastructure in other EU member states need separate registrations in those states. Limited exceptions apply to government entities, public communications providers, and internet exchange points.
What is eHerkenning EH2+ and how do I obtain it?
eHerkenning is the business authentication system used for Dutch government digital services — broadly equivalent to DigiD but for organisations rather than individuals. Assurance level EH2+ is the minimum for mijn.ncsc.nl access. Apply through an authorised provider listed at eherkenning.nl. The applicant must be your organisation’s authorised signatory per Chamber of Commerce records, or someone that signatory designates.
Does ISO 27001 certification satisfy Zorgplicht?
ISO 27001 certification significantly reduces the documentation gap, and CBW regulators regard it positively during conformity assessments. It does not constitute full CBW compliance on its own — the CBW adds specific obligations (such as the board training requirement and Article 23 reporting formats) that ISO 27001 does not cover. Use ISO 27001 as a foundation; layer CBW-specific requirements on top using the CBW Control Framework.
My organisation falls under both DNB supervision and DORA. Which takes priority?
Both apply simultaneously. DORA is lex specialis for financial entities and takes precedence where its requirements are stricter than NIS2. The 4-hour incident notification under DORA supersedes the NIS2 24-hour early warning for the same incident. In practice, comply with the stricter requirement of each regime and document the cross-reference in your incident response procedure.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NCSC Netherlands — Registratieplicht: https://www.ncsc.nl/cyberbeveiligingswet-nis2/registratieplicht (used inline)
- NCSC Netherlands — Toegang en inloggen MijnNCSC (eHerkenning EH2+ requirements)
- NCSC Netherlands — Over de Cyberbeveiligingswet
- NCSC Netherlands — Meldplicht: https://www.ncsc.nl/cyberbeveiligingswet-nis2/meldplicht (used inline)
- NIS2 Certification EU — Netherlands Compliance Framework
- Dutch Government (Business.gov.nl) — Cybersecurity obligations for more companies in critical sectors (NIS2)
- Taylor Wessing — NIS2 Implementation in the Netherlands
- NIS2 Directive (EU) 2022/2555, EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 (used inline)
- Kennedy Van der Laan — The Implementation of the NIS2 Directive: an Update
- Ploum — NIS2 cybersecurity directive: European and Dutch national developments
