The Netherlands is moving towards full implementation of the EU Critical Entities Resilience Directive (CER Directive). A legislative proposal adopted by the House of Representatives introduces a new set of resilience obligations for companies active in vital sectors.

On 15 April 2026, the Dutch House of Representatives adopted the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten, "Wwke"). The bill aims to strengthen the physical and organisational resilience of entities providing services that are essential to society, the economy, public health, public safety or the environment. Although framed as resilience and security legislation, the new Dutch framework will be highly relevant for companies operating in sectors such as energy, transport, healthcare, water, digital infrastructure and public services. Designation as a critical entity is likely to affect compliance frameworks, operational risk assessments and, in some cases, transaction planning and foreign investment screening. The regime forms part of a broader EU trend towards increased regulatory scrutiny of strategically important infrastructure and services. For companies active in capital‑intensive or regulated markets, the resulting compliance burden and reporting obligations may influence cost structures and competitive dynamics.

Are you in scope for designation as a critical entity?

The Wwke does not apply automatically. Its obligations only take effect once an entity has been formally designated as a critical entity by the competent ministry. Designation is sector‑specific and based on periodic sectoral risk assessments carried out by the relevant ministries, which must be conducted at least once every four years. These assessments identify which essential services are critical and which entities play a sufficiently important role in their provision.

In determining whether an entity should be designated, authorities assess, among other factors, whether the entity provides one or more essential services, the extent to which other sectors depend on those services, the potential impact of disruptions, geographic scope and the availability of alternatives. The legislation does not specify how many entities will ultimately be designated, nor whether only entities above a certain size are in scope. The outcome of the sectoral assessments will dictate which companies are in scope, and the conditions for designation will likely vary by sector. Entities providing essential services in or to six or more EU Member States may additionally be assessed at EU level and designated as entities of particular European significance. Such designation may result in closer coordination and scrutiny at EU level, including involvement of the European Commission.

The proposal sets a formal deadline for the first designations of 17 July 2026, subject to the law having entered into force by that date. If the Wwke enters into force after 17 July 2026, the first designation decisions must be taken within one month of its entry into force. These transitional deadlines reflect the Netherlands’ obligations under EU law, but their practical application will depend on the timely completion of substantial preparatory work at ministerial level, including sectoral risk assessments. Those assessments were themselves due by January 2026, alongside the adoption of the national resilience strategy coordinated across ministries and aligned with existing national and sectoral strategies. As that deadline has now passed, the statutory timelines effectively converge. Unless amended by the Dutch Senate, ministries may need to complete both the preparatory assessments and the first designation decisions within the same post‑entry‑into‑force period.

What are the key obligations of a critical entity?

Once designated as a critical entity, organisations will be subject to three core obligations:

1. Risk assessments. Critical entities must carry out periodic risk assessments covering a broad range of natural and man‑made risks that could significantly disrupt the provision of essential services.

2. Duty of care. Designated entities are subject to a duty of care requiring them to implement appropriate and proportionate technical, security and organisational measures to ensure resilience. These measures may include physical protection of infrastructure, organisational safeguards, personnel security arrangements and business continuity planning.

3. Incident reporting. Critical entities must report incidents that significantly disrupt, or risk disrupting, the provision of essential services within the prescribed timeframe.

Non-compliance with the duty of care and the obligation to report incidents carries the risk of administrative fines up to the greater of EUR 10 million or 2% of worldwide turnover in the preceding financial year. Other violations carry a fine of up to EUR 1 million. Critical entities facing incidents that affect national security may be subject to ministerial decision requiring them to exclude from their supply chains products or services supplied by high-risk actors.

What are the implications for your business?

Against this background, the Wwke raises several practical considerations for companies operating in potentially critical sectors, even before any formal designation decision is taken:

1. Assess early. Companies should assess at an early stage whether they are likely to fall within scope for designation. Sizeable businesses operating in sectors such as energy, transport, healthcare, water and digital infrastructure should monitor the commencement of sectoral risk assessments by the relevant ministries and consider the costs and benefits of providing input into those assessments, where opportunities for consultation arise. Early awareness of the likelihood that activities could lead to designation as a critical entity may provide valuable time to implement the required compliance measures without disruption to day‑to‑day operations.

2. Map compliance frameworks. For companies that may fall within scope, existing compliance and risk‑management frameworks may need to be reviewed and, where necessary, expanded. The Wwke’s obligations go beyond traditional health and safety or crisis‑management requirements and require a structured approach to physical security, organisational resilience, personnel security and business continuity. While the duty of care obligation is principle‑based, the explanatory memorandum makes clear that it is intended to translate into concrete organisational and technical measures tailored to the risks identified in the entity’s own risk assessment. For entities that are also subject to cybersecurity obligations under the Dutch Cybersecurity Act (Cyberbeveiligingswet), managing overlap and avoiding duplication will be an important practical challenge.

3. Engage proactively with the competent authorities. The Wwke explicitly envisages ongoing cooperation between competent authorities and designated critical entities. Once designated, entities can expect structured interaction with the relevant ministry, including the exchange of information and best practices, the development of guidance and methodologies, and participation in resilience‑testing exercises, training and advisory initiatives. Companies may therefore benefit from maintaining open lines of communication with the competent authorities and engaging constructively in these processes to ascertain the possibility of benefiting from exemptions, to support compliance and to ensure that sector‑specific operational realities are adequately reflected in the implementation of the regime.

4. Factor resilience obligations into transaction planning. Although the Wwke does not introduce a separate transaction approval regime, the designation of an entity as critical is likely to increase regulatory sensitivity around changes in control, governance or operational structure. The legislative materials emphasise the importance of interdependencies, continuity of essential services and control over critical infrastructure. In practice, transactions involving designated or potentially designated entities may therefore require enhanced regulatory analysis, longer deal timelines and closer engagement with public authorities, particularly in cross‑border contexts. Designation may also be relevant in parallel foreign investment screening assessments, where resilience, continuity and security considerations play an increasingly prominent role.

Looking ahead

The Wwke forms part of a broader package of EU‑driven resilience and security legislation and operates alongside the Dutch implementation of the NIS2 Directive in the Cyberbeveiligingswet. While NIS2 focuses on cybersecurity and network and information systems, the Wwke addresses non‑cyber risks, including physical security, organisational vulnerabilities, supply‑chain dependencies and business continuity.

The proposal is currently before the Dutch Senate, where the committees for Digitalisation and for Justice and Security will provide a report on 19 May 2026. Entry into force will be determined by Royal Decree and may occur in phases.

The legislation implements the EU’s Critical Entities Resilience Directive which entered into force at EU level in January 2023. Member States were required to transpose the Directive by 17 October 2024. The following month, the Commission reported that 24 Member States had failed to meet the deadline and on 29 April the Commission started infringement proceedings against 7 of those, including The Netherlands. The Wwke is therefore being adopted on a delayed timetable and under the threat of EU fines, which has increased political impetus for adoption.

We will continue to monitor the progress of the Wwke in the Dutch Senate and the interaction between the CER framework, NIS2 implementation and merger control and FDI screening regimes. If you would like to discuss how these developments may affect your business or a contemplated transaction, please get in touch.