Dutch Parliament to vote on new cybersecurity laws to protect critical services
New cybersecurity laws could soon safeguard Dutch critical services like energy, healthcare, and transport. The laws aim to strengthen resilience against cyber threats and physical disruptions, impacting businesses and citizens alike. A vote is scheduled for March 31, 2026.
| Key Data | Details |
|---|---|
| Laws | Cybersecurity Act (Cbw) and Critical Entities Resilience Act (Wwke) |
| European Directives | NIS2 Directive (cybersecurity) and CER Directive (resilience of critical entities) |
| Key Themes Discussed | Scope, duty of care, reporting obligations, supervision, and law overlap |
| Next Vote | March 31, 2026, in the House of Representatives |
| Expected Implementation | Second quarter of 2026, pending parliamentary approval |
| Regulations in Progress | Cybersecurity Decree, Decree on Resilience of Critical Entities, and ministerial regulations |
| Government Body | Ministry of Justice and Security (via National Coordinator for Counterterrorism and Security) |
The Dutch House of Representatives plays a crucial role in shaping national legislation, including the transposition of EU directives into Dutch law. These proposed laws fall under its responsibility to ensure the security and resilience of critical infrastructure, which directly affects public safety and economic stability.
Openrijk has no cookies or ads
But could use some support
Read the full translated article below
Debate in the House of Representatives on the Cybersecurity Act and the Critical Entities Resilience Act
On March 23, 2026, a legislative consultation was held in the House of Representatives regarding the Cybersecurity Act (Cbw) and the Critical Entities Resilience Act (Wwke).
The Cybersecurity Act and the Critical Entities Resilience Act are the transposition into national legislation of two European directives: the so-called NIS2 Directive (on cybersecurity) and the CER Directive (on the resilience of critical entities). These directives aim to strengthen the overall resilience of EU member states against various threats.
Various themes
During the legislative consultation, Members of Parliament raised questions about different aspects of the proposed acts, such as the scope of application, the duty of care, the reporting obligation, implementation, supervision, and the overlap between the two proposed laws.
Next steps in the legislative process
The House of Representatives will vote on the proposed acts on Tuesday, March 31. If the proposals are adopted, they will proceed to the Senate for consideration. It is expected that reports will first be drawn up on both proposals, after which the government will respond with a memorandum in response to the report. This may be followed by a plenary debate. The Senate will decide on all subsequent steps and the timeline. Once the Senate has also adopted the proposals, the parliamentary process for the acts will be completed.
- Implementation in lower-level regulationsParallel to the parliamentary process, work is underway on the underlying regulations. The advisory opinions of the Advisory Division of the Council of State on the general administrative orders (AMvBs) under the acts are expected soon. These are the Cybersecurity Decree and the Decree on the Resilience of Critical Entities. The government will prepare further reports based on these opinions, after which the AMvBs will enter into force. Ministerial regulations are also in preparation. The ministerial regulations provide further elaboration of the Cybersecurity Decree and the Decree on the Resilience of Critical Entities. While the acts and AMvBs set out the main principles and general obligations, the ministerial regulations contain more detailed, sector-specific provisions.
- Implementation timelineThe government aims to bring the Cybersecurity Act, the Critical Entities Resilience Act, and the associated lower-level regulations into force simultaneously in the second quarter of 2026. Whether this timeline is achieved depends on the progress of the parliamentary process.