Dutch NIS2 Fines Exist on Paper — CBW Still Pending: €10M Penalty Caps, 6 Sector Supervisors, and the Enforcement Gap to Navigate Now

The €10 million penalty ceiling that appears in nearly every NIS2 briefing is real — but for organisations operating in the Netherlands, it is not yet enforceable. The national law that activates those fines, the Cyberbeveiligingswet (CBW), was approved by the Dutch House of Representatives on 15 April 2026. It is now before the Eerste Kamer (Senate) for review, with a joint committee report expected on 2 June 2026 and entry into force dependent on a subsequent royal decree.

That timing matters because the EU NIS2 Directive itself — which obligated all member states to transpose by October 2024 — applies as EU law regardless of Dutch transposition status. Dutch entities are already bound by NIS2 obligations in principle. What they do not yet face is fine enforcement under Dutch national law.

This article maps three things: the fine structure the CBW will implement once it enters into force, the six sector supervisors responsible for enforcement, and the practical implications of the gap between EU obligation and Dutch enforcement reality — including a separate regime for financial entities under DORA.

Who Falls Under the CBW?

The CBW applies a two-gate test: sector membership and organisational size. Both gates must be cleared to determine which fine ceiling applies to your organisation. A useful starting point is the essential vs important entity classification, which determines not only your fine exposure but also which supervisor has jurisdiction.

Entity type	Sectors	Size threshold
Essential entity (EE)	Annex I: energy, transport, banking, healthcare, drinking water, digital infrastructure, ICT managed services, wastewater, public administration, space	>250 employees OR >€50M annual turnover AND >€43M balance sheet total
Important entity (IE)	Annex I sectors (below EE threshold) + Annex II: digital providers, postal services, waste management, chemicals, food production, manufacturing, research	≥50 employees OR >€10M annual turnover or balance sheet total
Automatic essential entity	Trust service providers, .nl domain registrars, electronic communications providers (telecom, ISPs)	No size threshold applies
Dutch public sector	All municipalities, provinces, and water boards	No size threshold; Dutch-specific expansion beyond NIS2 minimum

The scope expansion from the outgoing Wbni framework is significant: approximately 8,000 organisations are expected to fall under the CBW, compared with roughly 1,000 covered by the predecessor law. Micro and small businesses are generally exempt unless they fall into the automatic essential category or are specifically designated by a competent authority.

Not sure whether you qualify? The NIS2 scope guide maps the sector and size criteria in detail. RDI also published a self-assessment tool at rdi.nl that allows organisations to determine their obligations independently. Voluntary registration with NCSC-NL has been open since 17 October 2024 — ahead of the mandatory registration obligation that activates with the CBW.

The Three-Tier Fine Structure Under the CBW

The CBW implements a fine hierarchy that most compliance briefings reduce to two headline numbers. There are three operative tiers, each with different triggers and maximum amounts. The lower tiers are often the first ones reached in practice.

Tier 1 — Duty-of-care and incident notification violations

Entity type	Maximum fine	NIS2 Directive basis
Essential entity	€10,000,000 or 2% of total worldwide annual turnover — whichever is higher	Article 34(2)
Important entity	€7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher	Article 34(3)

These maxima apply specifically to violations of Article 21 (cybersecurity risk-management measures) and Article 23 (incident reporting obligations). They are minimum floors set by Article 34 of the NIS2 Directive — member states may legislate higher caps. The Netherlands has not indicated plans to exceed the directive minimum, unlike Germany which set its ceiling at €20 million for essential entities.

Worldwide turnover calculation: For Dutch subsidiaries of international groups, the applicable base is the parent group’s consolidated global revenue, not the Dutch entity’s standalone figures. A Dutch subsidiary with €30M local turnover whose parent holds €3B in global revenue faces a potential €60M fine ceiling under the 2% rule — twenty times the fixed-amount cap. This calculation is consistent with how GDPR Article 83 fines have been applied to group structures across the EU.

Tier 2 — Other CBW obligation violations

Maximum €1,000,000 per violation. This tier covers obligations outside the core Tier 1 triggers: failure to register with NCSC-NL once mandatory registration applies, failure to maintain required documentation, failure to inform affected parties of a significant threat, and other procedural compliance failures. Importantly, each distinct violation is a separate maximum — an entity with three unresolved documentation failures faces up to €3M in combined Tier 2 exposure, not a single €1M cap.

Tier 3 — Failure to cooperate with supervisory authority

Maximum €5,150 per instance. This applies when an entity fails to provide documentation, system access, or information that a supervisor has formally required within a stated reasonable period. The figure reflects the Dutch administrative sanction scale at the time of CBW drafting and is unlikely to function as a meaningful deterrent for large organisations. In practice, supervisors escalate through binding instructions and formal compliance orders before reaching financial sanctions — but each refusal to cooperate is a separate triggerable instance.

Periodic penalty payments

Article 32(4) of the NIS2 Directive, implemented in the CBW, allows supervisors to impose periodic penalty payments — additional daily or weekly fines that compound until a specific remediation order is fulfilled. An entity that receives a binding instruction to implement a named technical control by a given deadline and misses it will face accumulating fines until it acts. The mechanism is designed precisely for entities that acknowledge non-compliance but delay remediation.

Public bodies

Dutch municipalities, provinces, and water boards are within CBW scope but exempt from financial administrative fines under the CBW design. Enforcement for public bodies operates through binding instructions, publication of non-compliance findings, and escalation to the responsible sector minister. The reputational and political consequences of a public enforcement notice are treated as the operative deterrent.

Six Supervisory Authorities and Their Sectors

The CBW follows a distributed supervision model. No single authority oversees all NIS2 entities in the Netherlands. Six sector regulators hold enforcement jurisdiction, while NCSC-NL acts as national coordinator and CSIRT but does not impose fines. Understanding which supervisor has jurisdiction over your activities determines both the enforcement posture you will face and where incident notifications must go.

Supervisor	Full Dutch name	Sectors covered
RDI	Rijksinspectie Digitale Infrastructuur	Digital infrastructure (IXPs, DNS resolvers, TLD registries, cloud services, datacentres), ICT managed services, energy grid digital systems, government ICT, aerospace digital systems, manufacturing digital systems
DNB	De Nederlandsche Bank	Banking (essential entities)
AFM	Autoriteit Financiële Markten	Financial markets (important entities)
IGJ	Inspectie Gezondheidszorg en Jeugd	Healthcare providers, medical device manufacturers
ILT	Inspectie Leefomgeving en Transport	Road, rail, aviation, maritime transport; drinking water; wastewater treatment; water boards
NVWA	Nederlandse Voedsel- en Warenautoriteit	Food production and processing

NCSC-NL’s role (not a fine-imposing supervisor): NCSC-NL operates the central NCSC registration portal, receives incident notifications as the national CSIRT, and coordinates with EU-level bodies through the CyCLONe network. Incident notifications go to NCSC-NL. Enforcement actions and fines come from sector supervisors.

Sector boundary ambiguity: The specific supervisory scope of each authority is being resolved through ministerial regulations — the Cybersecurity Besluit and sector-specific amvb’s — which are pending Council of State advice as the CBW completes its Senate passage. Organisations with activities spanning multiple sectors should map each operational function to the relevant supervisor rather than assuming a single regulator applies. A cloud provider that also processes healthcare data under a managed service agreement may find both RDI (for the cloud infrastructure) and IGJ (for the healthcare service context) have legitimate interest in its compliance posture.

Pre-CBW supervisory activity: Before the CBW’s full entry into force, RDI had already assessed essential entities in the digital infrastructure sector. Reported supervisory findings indicated that substantial proportions of assessed entities had not implemented adequate incident reporting procedures or management-approved cybersecurity policies — precisely the two conditions that trigger Tier 1 fines once the CBW activates. That assessment record does not reset when the law enters into force.

What Dutch Supervisors Can Do: Article 32 Powers Beyond Fines

Financial penalties are the last tool in the enforcement sequence, not the first. The NIS2 supervisory measures framework established by Articles 32 and 33 of the Directive, implemented in the CBW, gives Dutch supervisors a graduated escalation ladder that operates well before a fine is considered.

Stage 1 — Information gathering

• On-site inspections and off-site monitoring, including unannounced spot checks by qualified personnel
• Regular and targeted security audits conducted by independent bodies
• Ad hoc audits triggered by a significant incident or credible threat indication
• Security scans using objective, non-discriminatory criteria
• Document requests: cybersecurity policies, risk registers, access control logs, incident reports

Stage 2 — Remediation instructions

• Written warnings for lower-severity non-compliance
• Binding instructions specifying required actions by a fixed deadline
• Orders to cease a specific practice or implement a named technical control
• Requirements to notify customers or third parties of a significant threat

Stage 3 — Escalated sanctions (Article 32(5))

When standard enforcement fails to produce compliance, Dutch supervisors may:

• Temporarily suspend a certification or authorisation that the entity relies on for operating
• Request courts or relevant authorities to prohibit a responsible executive from exercising management functions until the deficiency is remedied

The management function prohibition is a direct personal sanction against the named individual — not the organisation. It is separate from any financial fine against the entity and is available regardless of whether a fine is also imposed.

Personal liability under Article 32(6)

Natural persons holding managerial or representative roles may be held personally liable for infringements attributable to their failure to ensure compliance. The CBW establishes the legal basis; Dutch regulatory practice and case law will determine how aggressively this is applied in the first enforcement cycle. A CISO or board member who was aware of persistent non-compliance and took no escalation or remediation action is materially more exposed than one who acted in good faith on incomplete information and documented those actions.

Enforcement decision factors (Article 32(7))

Supervisors must weigh the following when calibrating enforcement severity:

• Duration and severity of the violation
• Whether the infringement was intentional or negligent
• History of prior infringements by the entity
• Actual damage caused to third parties or service continuity
• Measures the entity took to mitigate damage
• Level of cooperation with the supervisor during investigation

These factors work in both directions. Good-faith cooperation, voluntary incident disclosure, and early remediation action all reduce enforcement exposure. Entities that have documented their risk management decisions — even where gaps remain — are better positioned than those with no compliance record at all.

The DORA Exception: Financial Entities and the Lex Specialis Rule

Dutch banks, investment firms, insurance companies, payment institutions, and other financial entities covered by the Digital Operational Resilience Act (DORA) operate under a different legal framework for the core cybersecurity obligations — and the interaction between DORA and NIS2 is one of the most frequently misunderstood aspects of the Dutch regulatory picture.

The legal mechanism

DORA Article 1(2) designates DORA as a sector-specific Union legal act within the meaning of Article 4 of the NIS2 Directive. This makes DORA lex specialis — the more specific law takes precedence over the general framework in matters both regimes address. Recital 28 of NIS2 confirms this directly: “Where sector-specific Union legal acts require those entities… to adopt cybersecurity risk-management measures… the relevant provisions of this Directive shall not apply.”

What DORA displaces for Dutch financial entities

• ICT risk management framework (DORA Articles 5–15, displacing NIS2 Article 21)
• Major incident reporting (DORA Article 19, displacing NIS2 Article 23)
• ICT third-party risk management (DORA Articles 28–44)

The tighter incident reporting window

Where NIS2 requires a 24-hour early warning for significant incidents, DORA requires initial notification within 4 hours of an incident being classified as major. A Dutch bank that satisfies DORA’s 4-hour requirement has automatically satisfied NIS2’s 24-hour threshold — but a reverse situation (24-hour NIS2 filing on an incident that was DORA-classifiable as major) would be a DORA violation. More detail on the notification timeline is in our Article 23 incident notification guide.

What remains under CBW for Dutch financial entities

DORA’s displacement is not total. Dutch financial entities remain subject to the CBW for:

• Scope determination — the CBW still governs whether the entity is classified as essential or important under Dutch law
• NCSC-NL registration — the CBW mandatory registration obligation applies regardless of DORA status
• Dutch-specific CBW requirements not addressed by DORA, including the positive cybersecurity culture obligation and the supplier security banning powers under Article 21a CBW
• Supervisory coordination with NCSC-NL as national CSIRT for non-DORA incident types

Which supervisor applies

DNB supervises essential banking entities under DORA from 17 January 2025. AFM supervises financial markets important entities. For CBW residual obligations (registration, NCSC-NL coordination, Dutch-specific requirements), NCSC-NL is the point of contact. Entities with both a DORA obligation and CBW residual obligations should maintain separate compliance tracks rather than assuming one filing satisfies both.

The Enforcement Gap: What Applies Between Now and CBW Entry Into Force

The CBW passed the Tweede Kamer on 15 April 2026. The Eerste Kamer is conducting its review: joint committee input from DIGI and J&V was submitted on 19 May 2026, with a combined report expected 2 June 2026. The government’s stated target is Q2 2026 entry into force, but this depends on Senate approval, publication in the Staatsblad, and a royal decree setting the effective date. Secondary legislation — the Cybersecurity Besluit and sector-specific ministerial regulations — must also reach Council of State sign-off before the full enforcement framework operates.

Regime	Current status	Effect on Dutch entities
EU NIS2 Directive (2022/2555)	In force since January 2023	Applies as EU law; obligation exists but no Dutch fine mechanism
Wbni (Dutch NIS1 transposition, 2018)	Still in force	Governs existing in-scope entities (≈1,000); predecessor fine cap €5M
CBW (NIS2 transposition)	Passed Tweede Kamer; pending Eerste Kamer + royal decree	Not yet in force; no Dutch NIS2 fine exposure
DORA	In force from 17 January 2025	Applies directly to financial entities; no CBW dependency

During the gap period, entities that fall under NIS2 but not the Wbni:

• Are not yet subject to Dutch fine exposure for NIS2-specific violations
• May voluntarily register with NCSC-NL (the portal has been open since 17 October 2024)
• Should treat NIS2 obligations as operationally live, given the imminence of CBW entry into force
• Cannot be compelled by Dutch supervisors to implement Article 21 measures through binding instructions — that enforcement power arrives with the CBW

The practical risk of gap-period inaction: Pre-enforcement supervisory assessments have already established a compliance baseline for entities in the digital infrastructure sector. That record does not reset when the CBW enters into force. An entity that was identified as non-compliant in the gap period will find supervisors beginning from an informed starting point, not from zero. The gap period is preparation time, not an exemption from eventual scrutiny.

Four Steps Before the CBW Takes Effect

Based on the fine structure, supervisory powers, and documented compliance gaps above, these four steps address the highest-exposure conditions before enforcement activates.

1. Confirm your entity classification and supervising authority.
Apply the scope table above to each of your operational activities separately. Multi-sector organisations may fall under more than one supervisor. Use the RDI self-assessment tool or the NIS2 compliance checklist to verify classification before the mandatory registration deadline arrives.

2. Register voluntarily with NCSC-NL.
The CBW introduces mandatory registration; starting now through the voluntary portal builds the organisational record and NCSC-NL relationship before enforcement begins. Registration also positions your organisation as actively engaged if a supervisory assessment coincides with CBW entry into force.

3. Close the incident reporting gap.
Pre-CBW assessments consistently identified inadequate incident reporting procedures as the most common compliance failure. Implementing an incident handling policy mapped to Article 21(2)(b) and the 24-hour NCSC-NL early warning requirement eliminates the most commonly enforced Tier 1 trigger from day one of CBW operation.

4. Secure documented management board approval for your cybersecurity programme.
Article 20 of the NIS2 Directive requires management bodies to actively approve and oversee cybersecurity risk-management measures. Personal liability under Article 32(6) attaches to the individuals in those roles. A board resolution approving the cybersecurity programme — documented, dated, and signed before CBW entry into force — is both a governance requirement and a personal protection record for the board members involved.

Frequently Asked Questions

Does the NIS2 Directive apply in the Netherlands even though the CBW is not yet in force?
Yes. The NIS2 Directive (2022/2555) is EU law. The Netherlands missed the October 2024 transposition deadline. The obligations under the Directive apply as a matter of EU law — what is missing is the Dutch national enforcement mechanism with fine-imposing powers. Once the CBW enters into force, Dutch supervisors will hold full enforcement authority from day one.

Can Dutch entities face fines right now for NIS2 non-compliance?
Under Dutch law, not for CBW violations, as the CBW is not yet enacted. Entities already governed by the Wbni (the predecessor NIS1 framework) remain subject to its fine structure — up to €5 million — for violations of existing Wbni obligations. DORA obligations apply independently for financial entities from 17 January 2025.

Are public sector organisations (municipalities, provinces) subject to CBW fines?
In scope: yes. Subject to financial administrative fines: no. Public bodies face binding instructions, public enforcement notices, and ministerial escalation rather than financial penalties. The CBW treats reputational and political accountability as the primary deterrent for public sector entities.

Does the DORA compliance programme satisfy NIS2 requirements for Dutch banks?
For matters DORA directly covers (ICT risk management, major incident reporting, ICT third-party risk), yes — DORA is lex specialis and satisfying DORA satisfies NIS2. For CBW-specific residual obligations (NCSC-NL registration, Dutch-specific requirements, non-financial incident categories), separate CBW compliance steps are needed. Treat DORA and CBW as complementary frameworks with overlapping but not identical coverage.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS2 Directive Article 34 — General conditions for imposing administrative fines — nis-2-directive.com
2. NIS2 Directive Article 32 — Supervisory and enforcement measures for essential entities — nis-2-directive.com (used inline)
3. Cyberbeveiligingswet (36.764) legislative dossier — Eerste Kamer der Staten-Generaal — eerstekamer.nl (used inline)
4. Tweede Kamer approves CBW and Wwke — Rijksoverheid.nl (used inline)
5. Cybersecurity Laws and Regulations Netherlands 2026 — ICLG
6. NIS2 obligations for Dutch organisations — business.gov.nl (used inline)
7. NIS2 Implementation in the Netherlands — Taylor Wessing
8. DORA vs NIS2 for financial entities — financialregulations.eu (used inline)
9. Dutch Parliament approves Cybersecurity Act — Conventus Law