The Dutch Cybersecurity Act — the Netherlands' implementation of the European NIS2 Directive — is expected to take effect on 1 July 2026. The act applies directly to medium-sized and large organisations in designated sectors, but via the supply chain it also affects many SMBs with fewer than fifty employees: customers who do fall under the act will start imposing security requirements on their suppliers. The good news: a fair share of the ten duty-of-care measures you simply arrange in the Microsoft 365 or Google Workspace environment you already have. In this article we translate the act into concrete settings and a checklist.

What is the current state of play around NIS2 in the Netherlands?

The Dutch House of Representatives passed the Cybersecurity Act in April 2026 and the intended date of entry into force is 1 July 2026 (Bouwend Nederland, 2026). The act is now with the Senate; the NCSC maintains that it will come into force "around 1 July 2026" (NCSC, 2026). With that, the Cybersecurity Act replaces the current Network and Information Systems Security Act (Wbni).

Important to know: there is no generous transition period. The duty of care and the reporting obligation apply from the date of entry into force. Only the mandatory cybersecurity training for directors has a deadline of two years after entry into force (Digitale Overheid, 2026). Moreover, the NIS2 Directive places ultimate responsibility for digital resilience explicitly with the management board — this is not a topic you can fully park with "someone from IT".

Do I fall under NIS2 — even with fewer than fifty employees?

You fall directly under the act if you work in a designated sector and are medium-sized or large: from 50 employees, or more than 10 million euros in annual turnover or balance sheet total (Ondernemersplein, 2026). Smaller companies usually do not fall under it directly, with a few exceptions that participate regardless of size, such as trust service providers and providers of electronic communications networks.

That does not mean you are off the hook as a smaller SMB, however. One of the ten duty-of-care measures is, after all, supply-chain security: organisations that fall under the act must map out their suppliers and manage the risks in that chain (NCSC, 2026). In practice this means: questionnaires about your security, requirements in contracts and procurement terms, and sometimes an audit. If you supply software, services or components to, say, logistics, healthcare, industry, energy or a larger ICT provider, NIS2 comes your way — not via the supervisory authority, but via your customer. Whoever can already answer that questionnaire has an edge over competitors who still have to start.

The ten duty-of-care measures in Microsoft 365 or Google Workspace

The Cybersecurity Act prescribes ten duty-of-care measures; you determine yourself which implementation is appropriate, based on a risk analysis (NCSC, 2026). For an SMB organisation running on Microsoft 365 or Google Workspace, a large part can be arranged with existing features — often without extra licences. Here is how the ten measures look when you translate them to your own working environment:

Measure from the actConcrete in Microsoft 365 / Google Workspace
1. Risk analysis and security policyRecord which systems and data are critical and what the biggest risks are. Use the built-in security score and reports as a baseline measurement.
2. Incident handlingA single point of contact and a short step-by-step plan for incidents; making sure security notifications and alerts actually reach someone who looks at them.
3. Business continuity, backup and recoveryBackup of mail and files (Exchange, OneDrive/SharePoint or Gmail/Drive) outside your own tenant, plus a recovery test that you repeat periodically.
4. Supply-chain securityAn up-to-date list of suppliers and apps with access to your environment, data processing agreements in order, and external access limited in time and permissions.
5. Cyber hygiene and trainingBasic agreements for the whole team: password policy, dealing with phishing, periodic awareness moments — and the mandatory training for the board.
6. Security in the acquisition and maintenance of systemsUpdates and patch management structurally arranged; new apps that request access to your tenant (OAuth consents) assessed first.
7. Personnel, access policy and asset managementA fixed on- and offboarding process, minimal permissions per role, no shared accounts, and an overview of all devices via Intune or MDM.
8. Multi-factor authentication and secure communicationMFA mandatory for all accounts, starting with administrators; conditional access (Microsoft 365 Business Premium) or enforced 2-step verification in Workspace.
9. Cryptography and encryptionDisk encryption on laptops (such as BitLocker via Intune), encrypted connections and a short record of what you encrypt where.
10. Assessing the effectiveness of measuresPeriodic review: checking permissions, reviewing audit logging, testing backup and briefly reporting the outcomes to the board.

Two points of attention in that translation. First, logging: without audit logs you cannot reconstruct an incident and therefore cannot report it properly — turn logging on and check how long your logs are retained. Second, demonstrability: the act asks not only that you take measures, but also that you can show what you weighed up. A concise, up-to-date document wins here over a thick report that no one keeps current. How we structurally set up and maintain environments like this, you can read at Microsoft 365 management and outsourced IT management.

The reporting obligation: 24 hours, 72 hours and one month

The reporting obligation has a fixed, staged timing: in the event of a significant incident you submit an early warning to the CSIRT and the supervisory authority within 24 hours, a substantive report follows within 72 hours, and within one month you deliver a final report (Digitale Overheid, 2026). There is also a registration obligation: organisations that fall under the act register via the NCSC portal.

The practical consequence is often underestimated: to be able to report within 24 hours, you first have to be able to see an incident at all. That calls for monitoring and alerts that reach someone — even on a Friday evening — and for a short list that is ready: who spots it, who decides, who reports, and where. Making that list takes an afternoon; having to come up with it during an incident takes days.

Checklist: what to arrange before 1 July 2026

Don't start by writing policy, but with the technology that immediately removes risk. These eight points together form a realistic preparation for an SMB organisation:

  • 1. Determine your position. Check whether you fall under the act yourself (sector plus size) and whether your most important customers fall under it — because then the requirements come via them.
  • 2. Turn on MFA for all accounts. Starting with administrator accounts; no exceptions "because it's inconvenient".
  • 3. Arrange a real backup. Mail and files secured outside your own tenant, with a tested recovery procedure — why the default doesn't suffice you can read in Microsoft 365 backup.
  • 4. Clean up access. Former employees out, minimal permissions per role, shared accounts replaced by personal ones.
  • 5. Turn on logging. Check what is being logged, how long it is retained and who actually looks when there is an alert.
  • 6. Record your risk analysis briefly. Which systems are critical, what are the biggest risks, which measures counter them.
  • 7. Create an incident step-by-step plan. Including the reporting route: warn within 24 hours, report within 72 hours, final report within a month.
  • 8. Plan the director training. The deadline is two years, but the board is ultimately responsible from day one.

Want to see in black and white where your organisation stands right now? Take the free self-test — in a few minutes it shows where your digital foundation stands and what the logical first step is.

In short

  • The Cybersecurity Act (NIS2) was passed by the House of Representatives in April 2026; the intended date of entry into force is 1 July 2026 and there is no generous transition period.
  • Directly obligated: medium-sized and large organisations in designated sectors (from 50 employees or 10 million euros in turnover/balance sheet total). Smaller companies often get the requirements via obligated customers.
  • For SMBs the ten duty-of-care measures can largely be filled in with features already in Microsoft 365 or Google Workspace: MFA, access management, logging, device management and backup.
  • The reporting obligation is staged: warning within 24 hours, substantive report within 72 hours, final report within one month — and that only works with functioning monitoring.
  • Start with technology that immediately removes risk (MFA, backup, cleaning up access) and keep the documentation short and up to date.

Read more

Frequently asked questions

When does the Dutch Cybersecurity Act (NIS2) take effect?

The intended date of entry into force is 1 July 2026. The Dutch House of Representatives passed the Cybersecurity Act in April 2026; after approval by the Senate, the act replaces the current Wbni. The duty of care and the reporting obligation apply from the date of entry into force; only the mandatory training for directors has a two-year deadline.

Does my company with fewer than 50 employees fall under NIS2?

Usually not directly: the act applies to medium-sized and large organisations in designated sectors — from 50 employees or more than 10 million euros in annual turnover or balance sheet total. But via the supply chain you often end up dealing with it anyway: one of the ten duty-of-care measures is supply-chain security, which means obligated customers start imposing security requirements on their suppliers.

What exactly does the reporting obligation involve?

In the event of a significant incident you submit an early warning to the CSIRT and the supervisory authority within 24 hours, followed by a substantive report within 72 hours and a final report within one month. There is also a registration obligation: organisations that fall under the act register via the NCSC portal.

Do I need to be ISO 27001 certified for NIS2?

No, the Cybersecurity Act does not require certification. You must take appropriate measures based on a risk analysis and be able to demonstrate them. A certification can help with that, but a well-configured and documented Microsoft 365 or Google Workspace environment counts just as well as evidence.

What does it cost to comply with NIS2?

For an SMB organisation, a large part of the measures is in licences you already have: MFA, access management and logging are standard features of Microsoft 365 and Google Workspace. The real costs are in getting permissions, backup and documentation in order once, and then in ongoing management afterwards. What that management costs, you can read in our article on the cost of IT management.

Written by Hugo Eleveld · Updated . This article is informational; for tailored advice book an intro call.

Prefer insights like these in your inbox?

Leave your email address and we'll add you to the list and email you as soon as the next edition on IT, automation and dashboards comes out. You can unsubscribe at any time with a single email.

We only use your email address for this — see the privacy statement.