On November 22, 2024, the Dutch National Cyber Security Center (NCSC) published an updated information brochure on the Cybersecurity Act transposing the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive).

The Cybersecurity Act still has not passed the Dutch legislature. The NCSC clarified that between October 17, 2024, and the entry into force of the Cybersecurity Act, the obligations under the NIS 2 Directive do not yet apply.

Scope

The brochure provides clarification on the scope of the Cybersecurity Act, outlining which critical sectors are subject to its obligations. Sectors include energy, transport, banking, ICT services, health, and financial services, among others. The brochure's appendix contains detailed examples of what types of organizations will be considered 'essential' or 'important' entities.

In addition, the brochure details how the obligations of the Cybersecurity Act vary depending on the size of an entity. Specifically, an organization is 'large' under the Cybersecurity Act if:

• at least 250 people are employed; or
• there is an annual turnover of more than €50 million and a balance sheet total of more than €43 million.

Entities are considered 'medium-sized' where:

• at least 50 people are employed; or
• there is an annual turnover of more than €10 million and a balance sheet total of more than €10 million.

Notably, the 'small' entities are not subject to the Cybersecurity Act, but may still be designated critical entities based on the decision of the Minister responsible for such sector.

The brochure details that entities considered 'critical entities' under the Critical Entities Resilience (CER) Directive are automatically considered an 'essential entity' under the Cybersecurity Act. Further, domain name registration services are subject to the Cybersecurity Act as part of a special category, with unique obligations and no incident reporting obligations.

Obligations

Obligations under the Cybersecurity Act include incident reporting to the Computer Security Incident Response Team (CSIRT), the duty of care with regard to the performance of risk analyses, and access management, among others.

The brochure notes that entities can already voluntarily register with the NCSC under the Cybersecurity Act.

On incident reporting, the brochure again clarifies that the following must be given:

• initial notification within 24 hours of becoming aware of the incident;
• another notification within 72 hours assessing the severity of the incident; and
• a progress report on the incident within one month of the incident occurring.

You can read the press release here and the brochure here, both only available in Dutch.