The Cybersecurity Act is the transposition into national legislation of the European NIS2 Directive. This directive aims to strengthen the resilience of the member states of the European Union by ensuring that organizations are sufficiently resilient against various threats. The Dutch government is therefore calling on organizations to prepare for the arrival of the law and the underlying regulations.
The internet consultation of the ministerial regulation under the Act on the Resilience of Critical Entities (Wwke) is also starting. The Wwke is the transposition into national legislation of the CER Directive, concerning the resilience of critical entities.
Further Elaboration of the Law
The ministerial regulations form the further elaboration of the Cybersecurity Act, the Act on the Resilience of Critical Entities, the Cybersecurity Decree, and the Decree on the Resilience of Critical Entities. The Cybersecurity Decree and the Decree on the Resilience of Critical Entities are the general administrative measures (amvb's) that fall under the laws. While the laws and amvb's establish the main lines and general obligations, the ministerial regulations contain the more detailed, sector-specific provisions.
Most departments will draft their own ministerial regulation for the sectors for which they are responsible. An important part of these regulations is the elaboration of the reporting obligation for incidents in the form of threshold values that determine in which cases a report is mandatory.
In the elaboration of the ministerial regulations, there has been intensive coordination between the departments, so that the regulations are the same where possible and do not contradict each other. Multiple organizations will fall under the regulations of both one department and another.
Regulations under the Cybersecurity Act
Six ministries - the ministries of Interior and Kingdom Relations (BZK), Infrastructure and Water Management (I&W), Economic Affairs (EZ), Climate and Green Growth (KGG), Agriculture, Fisheries, Food Security and Nature (LVVN), and Health, Welfare and Sport (VWS) - will consult their draft regulations under the Cybersecurity Act this week. The Ministry of Education, Culture and Science (OCW) will present its ministerial regulation at a later time.
Ministerial Regulations of the Ministries of I&W, EZ, KGG, and LVVN
The detailed rules regarding the duty of care have been jointly drafted by the ministries of I&W, EZ, KGG, and LVVN for the sectors that fall under these ministries. A joint elaboration of the duty of care has been chosen so that the security requirements for entities are consistent. This is particularly efficient and effective for companies that fall into multiple sectors and thus have to deal with one set of requirements.
In the spring of 2025, responses could be given via an internet consultation on that joint elaboration of the duty of care. As a result, adjustments have been made that can be found in the current ministerial regulations of the respective ministries.
The criteria for the reporting obligation that are included in the draft regulations have largely received a sector-specific interpretation and therefore differ from each other.
Ministerial Regulations BZK and VWS
The Ministry of BZK and the Ministry of VWS are now making their complete ministerial regulation available for consultation.
Act on the Resilience of Critical Entities
Also for the Act on the Resilience of Critical Entities, the underlying ministerial regulations are being elaborated. More information about this The Ministry of IenW and the Ministry of KGG are now offering their ministerial regulation for consultation. The consultation of the regulations from the Ministry of BZK, the Ministry of VWS, and the Ministry of LVVN will follow shortly.
Respond to the Ministerial Regulations
Via www.internetconsultatie.nl everyone can respond to the ministerial regulations. Responses are possible from November 10 to December 21, 2025. After the consultation period, all responses will be reviewed per department and processed where necessary.
Through the links below, the drafts of the ministerial regulations can be viewed and participation in the consultation can take place:
- Ministry of Interior and Kingdom Relations
- Ministry of Economic Affairs
- Ministry of Infrastructure and Water Management
- Ministry of Climate and Green Growth
- Ministry of Agriculture, Fisheries, Food Security and Nature
- Ministry of Health, Welfare and Sport
Follow-up Process of Legislative Proposals and AMVBs
In June 2025, the legislative proposals for the Cybersecurity Act and the Act on the Resilience of Critical Entities were submitted to the House of Representatives, and the drafts of the underlying AMVBs were presented to the House of Representatives for information.
In the reports on the legislative proposals, questions were raised by the House of Representatives regarding the legislative proposals and the AMVBs. These questions have been answered by the government in a note in response to the report. The notes can be viewed here:
- Cover letter with note in response to the report on the legislative proposal for the Act on the Resilience of Critical Entities
- House of Representatives note in response to the report on the legislative proposal for the Cybersecurity Act
At the end of this year, the AMVBs will be submitted for advice to the Advisory Division of the Council of State.
The government aims for the laws, AMVBs, and ministerial regulations to come into effect in the second quarter of 2026.
Get Started
The measures that organizations must take from the upcoming Cybersecurity Act require time and attention. Therefore, the Dutch government advises organizations not to wait for the entry into force but to start preparing. The NCSC provides extensive information about the steps your organization can already take in preparation.
The NCSC has a comprehensive FAQ about the Cybersecurity Act. The NCTV has also published a lot of additional information and questions and answers about rights and obligations, planning, and the legislative process. With the help of the Cybersecurity Act referral tree, you will get a comprehensive overview of the responsible ministries, CSIRTS, and regulators per sector. The NCTV also has more information about the Act on the Resilience of Critical Entities.
Do you have any questions about the (internet consultation on the) Cybersecurity Act?
Although not all questions can be answered yet, we would like to hear what questions and information needs your company has regarding the Cybersecurity Act. The place to exchange this is the special NIS2 theme space on the DTC Community. You can directly contact thousands of other entrepreneurs and cybersecurity professionals on this online platform.
We will keep you informed about developments regarding the Cybersecurity Act via this website, LinkedIn, Mastodon, and the DTC Community.
