Central government logo, link to homepage
National Cyber Security CentreMinistry of Justice and Security

Statutory mandate

The statutory basis for the NCSC's work is laid down in several pieces of legislation: the Network and Information Systems Security Act (Wbni), the European NIS2 Directive/Cybersecurity Act (Cbw), the Network Code on Cybersecurity (NCCS) and, as of September 2026, the Cyber Resilience Act (CRA). These instruments aim to strengthen the digital resilience of the European Union, and therefore of the Netherlands. In doing so, they help limit the impact of cyber incidents and prevent societal disruption.

Network and Information Systems Security Act (abbreviated in Dutch as Wbni)

The Wbni has been in force since 9 November 2018 and governs the NCSC's statutory tasks for central government and organisations in vital sectors. The Wbni will be repealed when the Cybersecurity Act enters into force in mid-2026.

Cybersecurity Act (abbreviated in Dutch as Cbw)

The Cybersecurity Act is the Dutch transposition of the European NIS2 Directive. Under the Cbw, the NCSC's statutory mandate is extended to more sectors and organisations. Although the Act is not yet in force, the NCSC already performs tasks under the NIS2 Directive.

NIS2 Directive

The European NIS2 Directive focuses on improving the digital and economic resilience of EU Member States. Since 17 October 2024, organisations that fall under the Directive have been able by law to rely on the NCSC's CSIRT services.

Act to Promote the Digital Resilience of Businesses (abbreviated in Dutch as Wbdwb)

This act creates the legal basis for the government to inform non-vital Dutch businesses about digital vulnerabilities and security flaws, and to warn them about specific threats. It also mandates the promotion of cooperation between public and private organisations in the field of digital resilience.

Network Code on Cybersecurity (NCCS)

The NCCS (sometimes abbreviated as Netcode) is a European delegated regulation that aims to improve the digital resilience of Europe's vital electricity infrastructure. Since June 2025, the NCSC has served as the CSIRT for the organisations provisionally designated under the NCCS.

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA), known in Dutch as the Cyberweerbaarheidsverordening, lays down rules for placing products with digital elements on the market. These rules are intended to ensure the cybersecurity of such products. The CRA takes effect on 11 December 2027. The provision on mandatory reporting by manufacturers takes effect earlier, on 11 September 2026.

This reporting obligation must be fulfilled with the CSIRT designated as the coordinating authority.

Computer Security Incident Response Team (CSIRT)

The NCSC is the CSIRT for most organisations that fall under these legislative instruments. When threats or incidents occur in network and information systems, we provide assistance so that organisations, where appropriate in conjunction with a service provider, can take measures to remedy the incident. As a CSIRT, we also advise strengthening resilience to prevent incidents wherever possible.

Reporting centre

Organisations that fall under any of these instruments are required to report significant incidents to the NCSC. A central reporting facility is available at http://mijn.ncsc.nl. Wbni reports or voluntary reports may also be sent by encrypted email to cert@ncsc.nl, or via the emergency number. Both channels are monitored 24/7.

National contact point

To mitigate the consequences of serious cyber incidents across borders, the NCSC has been designated as the national contact point for the Netherlands in relation to EU member states. When a report is received that is also relevant to other countries, this operational information is shared with contact points in other member states.

Other tasks

  • Assisting organisations and central government bodies in taking measures to ensure the continuity of their services.
  • Informing and advising organisations on threats and incidents affecting network and information systems.
  • Conducting analyses and technical investigations into threats and incidents.
  • Handling voluntary incident reports from other organisations.
  • Sharing information with organisations that have a mandate to inform others about threats and incidents.
  • Monitoring incidents at the national level and issuing early warnings to organisations.
  • Disseminating information about risks and incidents.
  • Participating in the international network of CSIRTs.
  • Maintaining cooperation with the private sector.

Dutch Cybersecurity Strategy (NLCS)

The NLCS sets out how digital security in the Netherlands will be strengthened between 2022 and 2028 across four pillars. The NLCS was developed with broad involvement from public, private, and civil society organisations, under the coordination of the NCTV. The Cybersecurity Assessment Netherlands 2022 (CSBN) forms the basis for the pillars and objectives of the NLCS. The CSBN is updated annually and summarised for the business community.

Form
Heeft deze pagina je geholpen?

Het Nationaal Cyber Security Centrum (NCSC)

Veilig vooruit in een digitaal weerbaar Nederland.

About us