2026 will probably challenge Dutch businesses with ongoing geopolitical tensions, regulatory changes and evolving boardroom expectations. General Counsel (GCs) must prepare for a continued focus on risk-oversight, compliance and governance. We highlight five essential themes for GCs to monitor, offering practical insights to help organisations navigate the year ahead.
1. Data, Privacy and Cybersecurity: a year of conclusions
2026 is expected to bring important clarity in the data and cyber domains. A key question remains as to what will remain of the Digital Omnibus, the European Commission’s proposal to streamline and simplify some major EU data laws such as the GDPR, the Data Act and the AI Act. At the same time, the European Data Protection Board has singled out GDPR transparency compliance as a coordinated enforcement priority for 2026, putting renewed focus on privacy notices, aimed to ensure that data subjects are duly informed about who is processing their personal data and for what purposes.
In Q2, the Dutch Cybersecurity Act (implementing the NIS2 and CER Directives) is expected to enter into force. Organisations in regulated sectors will face strengthened requirements on cyber-risk oversight and management, supply-chain controls and incident reporting. Executive directors must undergo training and may face liability for non-compliance — a point requiring early board attention for in-scope entities and those that are part of their supply chain.
2. AI governance becomes a real operational priority
2026 will be the first year companies must translate the AI Act into operational governance. Mapping AI use cases, assessing data inputs, updating procurement templates, introducing AI literacy for staff and setting up internal risk-oversight structures will be essential to prepare for phased regulatory obligations.
3. CSRD and CSDDD (Corporate Sustainability Reporting Directive and Corporate Sustainability Due Diligence Directive)
2026 may see the enactment of the Dutch CSRD (overdue) and CSDDD implementing acts. GCs may expect questions on the final laws and their interpretation during implementation projects, including training programmes to make sure everyone in the company, and especially directors, understand their evolving responsibilities.
4. Insolvency law reform with practical consequences
The EU Harmonisation Directive on Insolvency Law may be adopted in 2026. It will materially reshape Dutch insolvency legislation, inter alia, by introducing a duty to file, revising rules on detrimental acts, and reinstating a pre-pack proceeding. For GCs, this means awareness that directors will have a statutory duty to file, subject to certain exceptions, and that distressed M&A teams will find the pre-pack back in their toolkit. Implementation legislation is not expected earlier than 2027.
5. Board duties and governance rise across the board
Across cybersecurity, insolvency, AI and ESG, director duties and liability exposure will continue to expand. Also, the evolving U.S. Caremark decisions show the Delaware Court of Chancery is increasingly prepared to examine whether boards have effective oversight systems in place—particularly in areas of heightened regulatory and operational risk. Although Caremark is not directly applicable in the Netherlands and a deliberate failure to act is still required, given the authority of the Delaware court, Caremark’s focus on proactive monitoring, information flows and documented supervisory efforts may well influence governance norms in the Netherlands as well. GCs may expect similar expectations around demonstrable oversight, especially in domains such as cybersecurity, AI governance and supply-chain due diligence.
Continued attention for risk-oversight and risk-management will be key for 2026. Large companies could consider the formation of standing risk committees.
Conclusion: multiple spaces to watch
2026 will probably see some important developments: clarity in the cybersecurity space and, finally, implementing acts for CSRD and CSDDD. We expect that structured risk-oversight and risk-management will play a more important role and will require changes to internal governance and decision-making ensuring that such topics are not only dealt with by companies but are escalated to and safeguarded on a board-level.
