Network and Information Systems Security Act (Wbni) — NIS2 Implementation

The Netherlands' Network and Information Systems Security Act (Wbni), implementing the EU NIS2 Directive (effective October 17, 2024), establishes cybersecurity requirements for essential and important entities in the Netherlands. The Wbni applies to organizations in 18 sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Essential entities face more stringent supervisory requirements than important entities. Key obligations include: implementing appropriate technical and organizational cybersecurity measures; incident reporting to the National Cyber Security Centre (NCSC) within 24 hours (initial) and 72 hours (detailed); supply chain security; and registration with the competent authority. The Rijksinspectie Digitale Infrastructuur (RDI) and sector-specific supervisors enforce the Wbni. Fines can reach EUR 10 million or 2% of global annual turnover for essential entities.