Back to knowledge base

Dutch Cybersecurity Act final: NIS2 applies in the Netherlands from 15 August 2026

Published on July 7, 2026

It is final. On 7 July 2026 the Dutch Senate adopted the Cybersecurity Act (Cyberbeveiligingswet) and the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten), and the government has set the entry into force at 15 August 2026. The era of target dates and caveats is over: NIS2 becomes enforceable law in the Netherlands, with a hard date just over five weeks away.

What exactly enters into force?

Two acts at the same time:

For most organisations, and certainly for their suppliers, the Cybersecurity Act is the one that matters in practice.

Which obligations apply from 15 August?

From the entry into force, organisations under the Cybersecurity Act must comply with:

No transition period has been announced. The obligations apply in full as of 15 August 2026.

What does this mean for suppliers?

For many SMEs, this is the real news. The duty of care explicitly covers the supply chain: the 8,000 organisations under the act must be able to demonstrate that they manage the risks posed by their suppliers. That translates into supplier questionnaires, contract requirements and audits.

If you supply software, hosting, data or services to an organisation covered by the act, that request will land on your desk sooner or later, even if you formally fall outside the scope yourself. What is expected of you is covered in the NIS2 supply-chain duty of care: what is really required and, specifically for suppliers, in NIS2 supply-chain duty of care for suppliers. Already receiving questionnaires? Then answering a NIS2 supplier questionnaire helps.

What the act does not do

Even with a hard date, what we wrote earlier still holds: the act mandates no specific tool or SaaS whatsoever. Anyone using the entry into force to sell a product as "legally required" is selling urgency instead of facts. The act requires goals: know your risks, take measures, report incidents and be able to demonstrate all of it. How you meet those goals is up to you. Why even a good scan does not make you compliant is explained in scanning is not NIS2 compliance.

Five things to arrange before 15 August

  1. Determine your position. Do you fall directly under the act (sector plus size), or indirectly via customers that do? The Dutch government offers a self-assessment tool; the NCSC publishes the list of sectors.
  2. Register. If you fall under the act, register your organisation in the entity register via mijn.ncsc.nl. The government explicitly names this as the first priority.
  3. Map your attack surface. You cannot manage risks you do not see. Start with what an attacker sees of your domain.
  4. Include your chain. Inventory critical suppliers and record which baseline requirements you set for them. See how to monitor this at Monitor my suppliers.
  5. Make it demonstrable. Make sure you can show what was found, when, and what happened with it. That evidence is what a regulator, auditor or customer wants to see.

Exposentry helps with steps 3 to 5: continuous, forensically substantiated monitoring of your own domains and your supplier chain, based on OpenKAT. Not a compliance guarantee, but a demonstrable building block for your duty of care. You can see where you stand today: start a scan of your organisation.

Source

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.