There's a conversation happening in boardrooms across the Netherlands right now. It goes something like this:
The consultant presents. Slides full of regulatory language, implementation frameworks, risk matrices. The message is clear: NIS2 is coming, your organisation needs to act. The board listens politely, asks a few questions, and then — nothing. Meeting ends. Next agenda item.
Six months later, the same conversation.
And then again.
At some point the wolf stops being scary. Not because the threat went away, but because it never arrived on a date anyone could put in their calendar.
The law undermined itself
Let's be honest: boards have behaved rationally over the past two years by parking NIS2. The European implementation deadline was 17 October 2024. Then January 2025 became the new target.
Then Q2 2026. Then 1 July 2026. The Dutch government now expects the Cybersecurity Act (Cyberbeveiligingswet) to enter into force on 15 August 2026, subject to the Senate voting in time.
Every delay confirmed that waiting worked. Boards aren't irrational — they learned from the law itself that urgency is negotiable.
But that's where the real problem sits. And it has very little to do with the date.
The question that matters: what happens to our organisation if we get hit by a serious cyber incident tomorrow?
That question has no legal deadline. Ransomware doesn't wait for the Senate to vote. A targeted attack on a healthcare provider, a manufacturing company, or a logistics chain doesn't factor in the Dutch legislative calendar. The threat existed before NIS2 did, and it exists independently of when the Cybersecurity Act takes effect.
And yet, as a sector, we have spent years behaving as though the law was the reason to act. And when the law got delayed, the action got delayed with it.
An organisation that addresses cybersecurity because the law requires it builds a different foundation than one that does it because it understands what's actually at stake.
The first produces a paper framework. Processes documented, boxes ticked, regulator satisfied. But documentation doesn't stop an attacker. What limits damage — or prevents it — is genuinely embedded policy, practised response procedures, segmented systems, and a board that understands what it's approving.
NIS2 asks for exactly that. Not as a bureaucratic exercise, but because it describes the minimum standard for an organisation that takes continuity seriously.
So the question isn't: does the law require this?
The question is: do we want to be resilient — and if so, why are we waiting for a law to make that happen?
The advisors I speak to who do get traction in the boardroom don't talk about the law. They talk about the business.
They ask questions like:
These are not NIS2 questions. They are business questions. And they land very differently than a slide about implementation timelines.
The law can follow as supporting context: here is what's expected of us at minimum, and here is where that overlaps with what we should be doing anyway. But using the law as the starting point turns a strategic conversation into a compliance session — and compliance sessions end without decisions.
For the record: the Cybersecurity Act is real and close. The lower house voted on 15 April 2026, the Senate debates on 6 or 7 July, and entry into force on 15 August 2026 is the government's target. For organisations that fall within scope, this brings concrete obligations — duty of care, incident reporting, governance requirements — that cannot be avoided.
But if that's the only reason your board is now going to act, it started too late with the wrong question.
