The Dutch legislator published (for Internet consultation) the draft Cybersecurity Act implementing the European NIS2 Directive. This Act imposes, among other things, cyber resilience obligations on important and essential entities, such as taking adequate security measures and reporting ICT incidents. The current Wbni (implementing NIS1) will be repealed by this Act.
The Dutch Ministry of Justice and Security warns in a letter to the House of Representatives that the implementation deadline in October for NIS2 will not be met. Due to the large number of ministries involved, complex content and countless legal and policy choices, drawing up these concepts takes more time than initially expected. In addition to the network and information security directive, the CER directive for protecting critical infrastructure is also not being achieved on time.
It is expected that the draft legislative proposals is published and put out for consultation on 22 March 2024, with advice being sought from, among others, the Dutch Data Protection Authority. After processing these opinions and mandatory advice by the Advisory Division of the Council of State, the bills can be submitted to the House of Representatives for parliamentary consideration, if necessary, after renewed consideration in the Council of Ministers. The aim is to complete this entire process in autumn 2024.
When the updated Wbni comes into force, from the moment on, the organizations that are established in the Netherlands, provide services or carry out activities in the Netherlands as part of Dutch critical infrastructure and (thus) fall in scope of NIS2, must in essence: