Netherlands NIS2 (Cyberbeveiligingswet) clears the lower house — entry into force targeted for 1 July 2026

The Dutch transposition is in its final step: the Tweede Kamer (lower house) approved the Cyberbeveiligingswet on 15 April 2026 (Rijksoverheid), with the Eerste Kamer (upper-house) ratification vote still pending in late June and the government targeting 1 July 2026 for entry into force. NCSC-NL is the designated supervisor; the regime runs a three-step 24h / 72h / one-month incident-notification protocol, essential-entity penalties up to €10M or 2% of turnover, and personal board liability for security-measure oversight (NL Digital Government). This is the fresh delta on the W25 NIS2-transposition item, which listed the Netherlands as pending; France, Ireland, Luxembourg and Spain remain non-transposed. What changes for defenders: any essential/important entity with Dutch operations or Dutch counterparties is about to face an enforceable notification clock and a named supervisor — wire NCSC-NL's 24/72-hour flow into the incident-response runbook now, and re-check which group entities fall in scope.