On 5 February 2025, the parliamentary committee debate on Digital Affairs took place, focusing on the progress of cybersecurity policy and the implementation of the NIS2 Directive. This debate was significant because the Minister of Justice and Security provided an update on, among other things, the current status of the NIS2 implementation and the Dutch Cybersecurity Act (Cyberbeveiligingswet, hereafter Cbw).
“We are in a period where investing in cybersecurity also means investing in the continuity of your business,” said Minister Van Weel (Ministry of Justice and Security) during the committee debate on Digital Affairs on online safety and cybersecurity. At the same time, the Minister concluded that research shows that organisations in the Netherlands still do not have their basic cybersecurity measures in order. Basic cyber hygiene will therefore become an important obligation under the forthcoming Cbw.
More than 8,000 companies in the Netherlands will be required to comply with the Cbw. During the debate, the Minister again emphasised that directors will be required to follow training and can be held liable for the incorrect implementation of measures. The details of the training requirements and the duty of care are still being developed and will be laid down in an upcoming Administrative Decree (Algemene Maatregel van Bestuur, AMvB).
So where do we stand after the committee debate? The debate did not produce any new insights. The Cbw will be discussed in the House of Representatives in the near future, and the public consultation for the AMvB will start. The exact timeline is not yet known, although the public consultation on the AMvB is expected in mid-February. The intention remains for the Cbw to enter into force in Q3 2025. The government is examining whether the rules can be limited, for example by aligning the Cbw with existing standards such as ISO 27001, NEN 7510 or the BIO. This harmonisation should ensure that the implementation of the Act results in minimal additional burdens for companies. Finally, supervisory authorities have intensified their mutual cooperation in anticipation of the further elaboration of NIS2, which is closely linked to the Cbw.
However, the absence of new developments in the committee debate does not mean that companies should wait until the Act enters into force. Start now by building knowledge through training. Another good first step is to map the measures that will be required once the new legislation applies. It is also important to have a clear overview of which measures still need to be supplemented.
Do you want to be well prepared as a director for the impact of the NIS2 Directive and the Cybersecurity Act? Or do you work as a cybersecurity professional and are you looking for practical guidance? Our specialised training courses offer exactly what you need. For directors, we are organising tailored sessions that clearly explains the strategic and legal implications of NIS2.
