NIS2 Is Here: What It Actually Means for Dutch Organisations

For most of the last two years, NIS2 has been the regulation everyone discussed and almost no one had to act on. In the Netherlands, that gap is now closing. The European deadline has long passed, the Dutch implementing law has cleared the House of Representatives, and the obligations are at the threshold of becoming binding. The reasons to wait have, quietly, run out.

This is not a call to panic. It is a call to recognise that NIS2 is, at its core, a governance question. And governance takes time to get right.

What NIS2 actually is

NIS2 is the European Union's updated directive on network and information security. It replaces the original 2016 framework with something far broader and far more demanding, and it is designed to raise the baseline of digital resilience across every member state.

A directive, though, doesn't apply to your organisation directly. Each country has to translate it into national law first. In the Netherlands, that translation is the Cyberbeveiligingswet (the Cybersecurity Act, or Cbw), which replaces the existing Wet beveiliging netwerk- en informatiesystemen (Wbni).

So when people ask "is NIS2 in force?", the honest answer has two parts. The directive has been live at the European level since early 2023, and the deadline for member states to implement it expired in October 2024. The Dutch national law that gives it teeth is in its final parliamentary stretch: the House of Representatives adopted the Cbw in April 2026, and it is now with the Senate, with the government aiming for entry into force in the course of 2026.

That nuance matters less than it might seem. The direction is settled. The only open question is the precise commencement date, and that is the worst possible thing to organise your readiness around.

Why "the law isn't live yet" is the wrong thing to lean on

The Dutch government has been unusually direct on this point: organisations are advised not to wait for the law to take effect, because the risks the law addresses already exist today.

That advice is practical, not rhetorical. The obligations NIS2 introduces are not the kind you can satisfy with a procurement decision the week the law commences. They require a functioning security and risk program, governance structures, a maintained risk register, incident-response procedures, supplier oversight, and a board that understands what it is accountable for. Standing those up properly is measured in months, not days.

An organisation that treats the commencement date as the starting line has already lost the lead time that compliance actually depends on.

Who it affects, and why you may be in scope without realising it

The Cbw casts a much wider net than its predecessor. Estimates put the number of in-scope Dutch organisations in the thousands, spanning sectors such as energy, transport, healthcare, digital infrastructure, water, waste, manufacturing, certain digital services, and parts of government. The Minister of Education has also brought universities and universities of applied sciences into scope.

The law sorts organisations into two tiers, essential and important entities, which differ mainly in how they are supervised, not in the underlying duties they carry. Crucially, the responsibility to determine whether you fall under the law sits with you. There is no letter in the post. Many organisations that never considered themselves "critical infrastructure" will find they qualify, often through their position in a supply chain rather than their own sector.

If you are unsure whether NIS2 applies to you, that uncertainty is itself the first thing worth resolving.

What it actually requires

Beneath the detail, the Cbw establishes three core obligations:

• A duty of care: taking appropriate, proportionate technical and organisational measures to manage the risks to your systems and services.

• A duty to report: notifying the authorities of significant incidents within defined timeframes.

• A duty to register: making yourself known to the relevant national authority.

The most consequential change, though, is one of accountability. Under NIS2, cybersecurity becomes an explicit responsibility of the management body. Boards and directors can be held personally accountable for non-compliance, and they carry an obligation to build enough cyber knowledge to exercise meaningful oversight. NIS2 also reaches into your supply chain: you are expected to account for the security of the partners and suppliers your services depend on.

Read that list again and notice what is, and isn't, on it. None of these duties is satisfied by buying a tool. They are governance, risk, and accountability obligations. They describe a program, not a product.

The honest framing: this is a program problem

Here is where a lot of NIS2 readiness goes wrong. Organisations reach for technology, another monitoring platform, another endpoint product, and end up with more tooling and no clearer answer to the question the law is really asking: who owns this, and can you prove it works?

NIS2 is, fundamentally, asking whether you run a coherent security and risk program. Whether someone owns the risk register. Whether governance connects to the board. Whether compliance is maintained rather than rediscovered during an audit. Whether your architecture and your suppliers are accounted for. These are exactly the questions a managed program is built to answer, and exactly the ones a tool, on its own, never will.

This is the layer we work in. CTRL Disrupt operates as your Managed Security & Risk Office, the strategic and governance layer that manages your security and risk program across governance, risk, strategy, architecture, and compliance. We manage the program, not the tooling. That independence is the point: our advice is shaped by what your organisation needs to be resilient and compliant, not by anything we're trying to sell you.

A sensible first step

You don't need a full managed partnership to start. For most organisations, the right first move is simply to find out where they stand, clearly, and without the alarm.

A NIS2 Gap Analysis does exactly that: a focused evaluation against the requirements, an honest view of what needs to change, and a practical, prioritised path to compliance. It can stand entirely on its own, or become the foundation for a broader programme of work. Either way, you leave with clarity instead of a checklist of fears.

NIS2 is here. The calm, capable response is to treat it as what it is , a governance obligation you have time to meet well, provided you start now.