“Under the Dutch Cyberbeveiligingswet (Cbw), municipalities can be fined up to €10 million for failing to meet duty-of-care requirements.”

The explanatory memorandum to the Cyberbeveiligingswet (Cbw) discusses the transposition of the NIS2 enforcement regime, including maximum administrative fines. It explains that the directive provides, for essential entities, for a maximum fine of 10,000,000 euros or 2% of the total worldwide annual turnover, whichever is higher. The Cbw follows this structure when setting maximum administrative fines for violations of obligations such as the duty of care (zorgplicht) and the duty to notify incidents (meldplicht).

The Cyberbeveiligingswet states that municipalities, provinces, and water boards are included as local governments. It also says that essential and important entities have a duty of care requiring them to take appropriate and proportionate measures to manage risks to their network and information systems. The page further explains that significant cyber incidents must be reported under the law.

“More companies and organisations in critical sectors will have obligations (duty of care and reporting duty) to increase cybersecurity and counter cyberattacks. These obligations are set out in the European Network and Information Security directive (NIS2)… “You organisation is covered by the NIS2 directive if: your organisation is active in 1 of the sectors listed in Annex I or Annex II of the NIS2 directive, and you have a medium-sized organisation with at least 50 employees or an annual turnover or balance sheet total over €10 million… Government organisations active in the sectors listed above are also automatically covered by the NIS 2 directive.” “It is expected the new law will enter into force in the 2nd quarter of 2026… From then on, organisations covered by the NIS2 directive have to fulfil the duty of care and duty to report. Please note: The effective date of this measure is not yet final. Entry into force is subject to its passing through the Lower and Upper Houses of parliament.”

Article 34(4) of the NIS 2 Directive, which the Dutch Cyberbeveiligingswet implements, sets an EU-level framework for administrative fines: "For essential entities, Member States shall ensure that the maximum amount of administrative fines that can be imposed for infringements of this Directive is at least 10 000 000 EUR or at least 2 % of the total worldwide annual turnover of the undertaking to which the essential entity belongs in the preceding financial year, whichever is higher." The directive does not itself mention municipalities specifically; it provides an upper bound model which Member States transpose into national law.

“The Dutch SA imposed a fine of 290 million euros on Uber… The Dutch SA found that Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US.” “This decision concerns a GDPR infringement and illustrates the scale of fines the Dutch DPA can impose for data‑protection violations. It is unrelated to municipalities’ obligations under the Cyberbeveiligingswet and does not address a €10 million maximum fine for municipalities under that law.”

The VNG circular on the consequences of the Cyberbeveiligingswet for municipalities states: “Sancties bij gebreken. De RDI heeft als toezichthouder ook de mogelijkheid om sancties op te leggen. Het gaat dan niet alleen om sancties voor de gemeentelijke organisatie, maar ook om persoonlijke sancties voor bestuurders (burgemeester en wethouder) die in gebreke blijven. Bij inbreuken op de zorgplicht en meldplicht kan de toezichthouder de gemeente een bestuurlijke boete opleggen van maximaal € 10 miljoen. Voor overtredingen van andere verplichtingen in de Cyberbeveiligingswet, zoals de registratieplicht, kan de boete oplopen tot € 1 miljoen.”

“Gemeenten die hun zorgplicht onder de Cyberbeveiligingswet niet nakomen, kunnen te maken krijgen met boetes oplopend tot 10 miljoen euro. Burgemeester en wethouders moeten een training informatiebeveiliging volgen, en zijn persoonlijk beboetbaar als ze die plicht verzaken. … De RDI kan boetes opleggen als gemeenten niet aan de verplichtingen uit de wet voldoen. ‘Bij inbreuken op de zorgplicht en meldplicht kan de toezichthouder de gemeente een bestuurlijke boete opleggen van maximaal 10 miljoen euro.’ De zorgplicht behelst onder meer dat er een analyse van de cyberrisico’s wordt gemaakt.”

This Dutch-language summary of the NIS2 Directive notes that the Directive provides for fines of up to 10 million euros or 2% of global annual turnover for essential entities and up to 7 million euros or 1.4% of global annual turnover for important entities, for breaches of cybersecurity risk-management and reporting obligations. The summary explains that it is up to Member States to determine which entities fall into these categories. It does not say that municipalities as a category are subject to a specific 10‑million‑euro fine level, but that public bodies can be designated as essential or important depending on the services they provide.

The article explains that municipalities are designated as essential entities under the Cbw and that cyber security becomes an explicit board responsibility. It also states that, in cases of serious cyber incidents, a reporting obligation applies and that supervisory authorities can impose fines and other enforcement measures.

“The Cyberbeveiligingswet — the Dutch implementation of the European NIS2 directive — is expected to take effect on July 1, 2026.” “Fines: comparable to GDPR. Sanctions are substantial and depend on your classification: | Classification | Maximum fine | | -- | -- | | Essential entities | Up to €10 million or 2% of global annual turnover | | Important entities | Up to €7 million or 1.4% of global annual turnover | The higher amount of the two applies.” “In a section on scope the blog states that providers of public electronic communications networks, qualified trust service providers and government organisations always fall under the act, regardless of size. The article, however, does not specifically single out municipalities or explicitly state that municipalities, as such, can be fined up to €10 million for failing duty-of-care requirements; instead it presents the general maximum fines for ‘essential entities’.”

iBestuur reports on the reaction of municipalities to the new law: "The municipalities want the chance to comply with the new legislation without immediately running the risk of a fine. Not immediately a fine, they argue, because the administrative fines under the Cyberbeveiligingswet can be substantial." The article notes the existence of high potential fines but does not itself specify the maximum amount or tie it specifically to the duty of care obligation.

The article states that under the new law municipalities are explicitly responsible for managing cyber risks. It also says that fines for breaches of the duty of care and reporting obligation can reach €10 million for the municipal organization, with personal fines for administrators who do not follow the mandatory training.

Binnenlands Bestuur discusses the financial impact of the Cyberbeveiligingswet on municipalities: "Costs increase: on average one million per year … Municipalities see the costs for security rise sharply due to legislation such as the Cyberbeveiligingswet." It mentions that the combination of new obligations and possible sanctions leads to concern, but the article focuses on costs and does not detail the exact upper limit of fines.

The page explains that organizations covered by the Cyberbeveiligingswet must carry out a risk analysis and then take measures based on that analysis. It also says the law introduces a registration obligation and a reporting obligation for incidents. Although this page is sector-specific to healthcare rather than municipalities, it reflects the same duty-of-care structure used in the Cbw framework.

The Dutch Cyberbeveiligingswet is the national implementation of the EU NIS2 directive. Under NIS2, maximum administrative fines for essential entities are set at €10 million or 2% of worldwide annual turnover, whichever is higher; municipalities are generally treated as essential entities in the Dutch implementation. This supports the specific €10 million figure, though the exact application to municipalities depends on the national implementing rules and supervisory framework.

A news item on Security.nl reports critical reactions to the draft Cbw: commentators argue that the combination of organisational fines and personal fines for administrators could be disproportionate, especially for public bodies with limited budgets. Some legal experts quoted question whether the sanction levels derived from NIS2 are appropriate for relatively small municipalities and warn of potential chilling effects. The article, however, does not dispute the government’s intention to set high maximum fines; instead it highlights concerns that such high ceilings (in the order of millions of euros) might be excessive for municipalities.

In a commentary on the draft Cyberbeveiligingswet, a legal expert warns that the enforcement regime derived from NIS2 allows for very high maximum fines, such as 10 million euros, but notes that these are ceilings: “In practice, the supervisory authority will have to take proportionality and the financial capacity of the public body into account when imposing a fine. The maximum of 10 million euro will therefore rarely, if ever, be imposed on small municipalities.” This suggests that while the law technically allows such fines, their practical application to municipalities is expected to be more restrained.

The page says that under NIS2, and later the Cyberbeveiligingswet, administrative fines are possible for breaches of the duty of care and reporting obligations. It gives the maximum for essential entities as €10,000,000 or 2% of global annual turnover, whichever is higher.