NIS2 and the Cybersecurity Act: What Changes in 2026?

On 17 October 2024, the Dutch Cybersecurity Act should already have been in force. The Netherlands missed that deadline. Germany and Belgium did not. Now, a year and a half later, the bill is being debated in Parliament. Expected entry into force: 1 July 2026.

For many organisations, that still feels far away. It is not. Most companies need four to six months to bring their cybersecurity and supplier management up to the required level. If you want to be compliant by 1 July, you need to start now.

NIS2 and the Cybersecurity Act: what is the difference?

NIS2 is the European directive. The Cybersecurity Act is the Dutch law implementing this directive. The difference matters, because the Dutch law may be stricter or more specific on certain points than the directive itself. The core is the same: organisations in critical and important sectors must have their cybersecurity structurally in order.

The first NIS directive (2016) applied to a limited group, mainly large energy and water companies, hospitals and financial institutions. NIS2 draws the line much wider. The directive distinguishes two categories: essential and important. This distinction determines the intensity of supervision and the level of potential fines.

Does it apply to you?

NIS2 uses a size-cap: organisations with more than 50 employees or more than 10 million euros annual turnover in one of the designated sectors automatically fall under the law. But smaller organisations can also be covered if they fulfil a critical role.

The sectors are broad. Essential: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (including data centres, DNS service providers, cloud providers), ICT service provision (managed service providers), government and space.

Important: postal and courier services, waste management, chemicals, food production and distribution, manufacturing, digital providers (online marketplaces, search engines, social networks) and research organisations.

Note that "digital infrastructure" category. Data centres, hosting providers, managed service providers and managed security service providers explicitly fall under NIS2 as essential. That is new. Under the old NIS directive, most of these parties were not covered.

The three pillars: duty of care, reporting obligation, registration requirement

Duty of care

Organisations must take appropriate and proportionate technical and organisational measures. That sounds vague, but the law specifies it concretely in ten minimum measures:

• Risk analysis and security policy
• Incident handling
• Business continuity and crisis management
• Supply chain security
• Security in the acquisition, development and maintenance of network and information systems
• Policies and procedures to assess the effectiveness of measures
• Basic cyber hygiene practices and training
• Policies for the use of cryptography and encryption
• Personnel security, access policies and asset management
• Use of multi-factor authentication and secure communication

This is not a menu to choose from. These are ten mandatory areas of attention. The exact implementation depends on your sector and size, but you must be able to demonstrate something on each point.

Reporting obligation

In case of a significant cyber incident, you must report in three steps. First, an early warning to the NCSC (National Cyber Security Centre) within 24 hours. Then a follow-up notification within 72 hours with additional information. And finally, a final report within one month. "Significant" is determined by factors such as the number of people affected, the duration of the disruption and the potential financial damage.

Note the difference with the GDPR reporting obligation. That 72-hour rule for data breaches goes through the Dutch Data Protection Authority. The NIS2 reporting obligation goes through the NCSC. If a cyber incident also involves personal data leaks, you must report to both places.

Registration requirement

Organisations that fall under the law must register with the NCSC. This is already possible on a voluntary basis. After entry into force, it becomes mandatory. The benefit of registration: you receive information about current cyber threats relevant to your sector.

Directors become personally liable

This is where it gets concrete for many boards. The Cybersecurity Act contains a provision on director liability. Directors must approve the cybersecurity measures and supervise their implementation. There is also a training obligation: directors must have sufficient knowledge to give that approval in an informed manner.

In case of non-compliance, directors can be held personally liable. This goes beyond fining the organisation. It affects individual directors. For essential entities, supervision can even be proactive: the regulator does not need to wait for an incident, but can inspect on its own initiative.

The fines are substantial. For essential entities: up to 10 million euros or 2% of global annual turnover, whichever is higher. For important entities: up to 7 million euros or 1.4% of annual turnover.

What does this mean for your hosting choice?

The duty of care explicitly includes supply chain security. This means you not only need to have your own systems in order, but also demonstrate that your suppliers, including your hosting provider, meet adequate security requirements.

Concretely: you must be able to show that you considered cybersecurity risks when selecting your provider. That you have contractual agreements on incident reporting. That your provider has also conducted a risk analysis and taken appropriate measures.

If your provider is a managed service provider (MSP), they themselves fall under NIS2 as an essential entity. That is advantageous, because then your provider has the same obligations as you. But it does not release you from your own responsibility to verify that.

The timeline: where are we now?

The European NIS2 directive has been in force since January 2023. The deadline for national implementation was 17 October 2024. The Netherlands missed it, as did several other EU countries. The bill was sent to Parliament in the summer of 2025. Debate is ongoing in March 2026. The government is aiming for entry into force on 1 July 2026.

Is that certain? No. Uncertainty has arisen due to an EU proposal for simplification (COM(2026)13, published 20 January 2026). Some parties suggest this would delay Dutch implementation. But that reasoning is flawed: the European decision-making process for that proposal is expected to take two to three years. For the Netherlands, waiting is not an option. Parliament is treating the bill as non-controversial.

Meanwhile, major incidents have become a political reality. The theft of medical data from nearly a million women at a laboratory working for the national government. The Odido data breach that affected 6.2 million Dutch people. The urgency is there.

The bottom line

The Cybersecurity Act transforms cybersecurity from a technical topic into a board responsibility. It is no longer something your IT department handles while the board watches. Directors are liable. Reporting obligations are strict. Fines are substantial.

The law is coming. Parliament is debating it, the political will is there, and the incidents demonstrating the urgency keep piling up. Whether it is precisely 1 July 2026 or a few months later does not matter for your preparation. The obligations apply as soon as the law enters into force. There is no transition period.

Start with the question: does it apply to me? If the answer is yes, or if you are not sure, now is the time to start your risk analysis, assess your supplier chain and get your board to the table. Four to six months sounds like a lot. It is not.

Want to know if your hosting is NIS2-compliant? See our compliance approach and discover how we help you meet the new legislation.