CRA for Dutch Manufacturers: NCSC, RDI and Rotterdam

Dutch manufacturers face the same CRA obligations as every other EU manufacturer, plus a national wrinkle most other Member States do not carry at the same scale: a large share of the country's product traffic is non-EU goods landed at Rotterdam, rebadged by a Dutch entity, and pushed into the rest of the EU. That puts a Dutch entity in the manufacturer role more often than the registered office suggests. This page is a country brief for the Netherlands: how vulnerability reports route through the post-merger NCSC, where RDI sits as notifying and market-surveillance authority, where RvA fits on accreditation, what Dutch-language obligations require, how the Rotterdam rebrand bridge swings the manufacturer line, and which 2026 funding programmes are realistic. For the full obligation set, see the manufacturer cluster guide and the importer cluster guide.

When this guide applies to you

You are the target reader if your manufacturer "main establishment in the Union" is in the Netherlands: the place where decisions related to the cybersecurity of your products with digital elements are predominantly taken. A Dutch-registered sales or holding entity with engineering offshore is not the main establishment. If your engineering team, your SDLC governance, and the people approving security-update releases sit in the Netherlands, this guide is for you.

If your main establishment is elsewhere in the EU and you only ship into the Netherlands, your CRA reports route through the CSIRT of your main-establishment Member State, not the Dutch NCSC. The Dutch-language obligation for user-facing information still applies for any product placed on the Dutch market.

This brief also speaks to a second audience: a Dutch entity that imports a non-EU product through Rotterdam and either resells it under its own brand or substantially modifies it before placement. That entity sits under the manufacturer regime via the CRA rebrand bridge, not the lighter importer regime. See the dedicated section below.

NCSC: the Dutch CSIRT route

CRA notifications route through the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment in the Union. For a manufacturer whose main establishment is in the Netherlands, that CSIRT is NCSC.

One change from the previous generation of Dutch cyber guidance matters for new readers. CSIRT-DSP had already been integrated into NCSC, and on 1 January 2026 the Digital Trust Center joined the strengthened NCSC. There is now a single national CSIRT for product manufacturers, essential entities, digital-service providers, and the SME audience the DTC used to serve. Older guidance that refers to a two-CSIRT model (NCSC-NL plus CSIRT-DSP) describes the pre-merger structure.

The technical channel for the 24h / 72h / 14d reporting cadence is the ENISA single reporting platform, which goes operational on 11 September 2026, alongside the Dutch national portal at mijn.NCSC.nl. A Dutch manufacturer files via the ENISA platform with NCSC as the receiving coordinator. CSIRT designation is the routing. The platform is the transport.

Notified bodies: RDI notifies, RvA accredits

Important Class I products need a notified body (Module B+C or Module H) only where harmonised standards, common specifications, or a certification scheme do not fully cover them. Important Class II products use a notified body (Module B+C or Module H) or an available and applicable certification scheme. Critical products (Annex IV) follow Article 32(4): the Article 8(1) certification route where the Commission has triggered it, otherwise the same Article 32(3) routes.

The Dutch institutional chain is a clean split:

• RvA (Raad voor Accreditatie) is the sole national accreditation body, with statutory status under the Wet aanwijzing nationale accreditatie-instantie. RvA accredits conformity-assessment bodies against ISO/IEC 17065:2012. Accreditation is the technical step.
• RDI (Rijksinspectie Digitale Infrastructuur) is the intended leading notifying authority that will formally register Dutch CRA notified bodies with the European Commission once the Dutch implementing act is final. RDI sits under Economische Zaken en Klimaat and absorbed this role from the former Agentschap Telecom. Notification is the legal step.

The CRA framework for notified bodies applies from 11 June 2026, after which notified bodies can begin issuing CRA conformity-assessment certificates. The Uitvoeringswet verordening cyberweerbaarheid is the Dutch instrument expected to put RDI in the notifying-authority seat. The bill is still in Tweede Kamer treatment as of late April 2026 and has not yet appeared in the Staatsblad. A Dutch manufacturer can use any EU-notified body, not only Dutch-notified ones. Final notifications appear in the European Commission NANDO database.

RDI: the CRA market-surveillance authority

The Uitvoeringswet verordening cyberweerbaarheid is expected to designate the Minister of Economic Affairs, in practice RDI, as the Dutch CRA market-surveillance authority. RDI would get formal supervision and enforcement powers, including administrative fining authority within the CRA's EU-level ceilings (up to EUR 15 million or 2.5% of global turnover, whichever is higher).

The Netherlands sits in the consolidated camp on this design, alongside Italian ACN, if the final text follows the bill. Spain (CCN + MTDFP) and France (ANSSI + ANFR) split the notifying and market-surveillance roles between separate institutions. A Dutch manufacturer would then have a single national counterpart for formal CRA correspondence: NCSC for the reporting flow, RDI for everything else.

Rotterdam and the importer angle

Rotterdam is the EU's largest port by goods throughput, with roughly 14.5 million TEU per year and the highest gross weight of non-EU imports across all EU ports. For products with digital elements, a meaningful share of EU first-placement happens here, often by a Dutch entity that buys finished goods from a non-EU supplier and pushes them into Belgian, German, French, and broader EU retail.

The CRA cares about the role you actually perform, not the role on your customs paperwork. Two operating patterns are common in Rotterdam-routed flows, and they land in different regimes:

• Pattern 1: you import a non-EU product and place it on the EU market unchanged, under the original manufacturer's brand. This is the importer regime. You run the four pre-market checks (conformity-assessment evidence, EU declaration of conformity, CE marking, manufacturer identity and address on the product), you remain in the fallback contact chain where the non-EU manufacturer is not contactable, and you hold technical documentation references for at least ten years. See the importer cluster guide.
• Pattern 2: you import a non-EU product, then rebrand it under your own name, change the intended purpose, or substantially modify it before first placement. This is the manufacturer regime via the CRA rebrand bridge. Your Dutch entity becomes the manufacturer. Manufacturer obligations attach in full, including essential-requirements compliance, technical documentation, conformity assessment, end-of-support disclosure, and the 24h / 72h / 14d reporting cadence.

A common confusion is treating Pattern 2 like Pattern 1 because customs paperwork shows "importer of record". CRA roles do not follow Incoterms. The moment the original brand is replaced by yours, or the original intended purpose changes, you are the manufacturer. Buyer-furnished SBOMs and CE markings from the non-EU supplier are inputs to your own technical documentation, not substitutes for it. The same logic applies to private-label retail: a Dutch retailer that ships products under its own brand carries the manufacturer regime regardless of where the hardware was produced.

Dutch-language requirements in practice

The CRA requires user-facing product information to be in a language easily understood by users and the local market-surveillance authority. For products placed on the Dutch market, that is Dutch (Nederlands). The Warenwet (Commodities Act) and the related sectoral product-information rules independently require Dutch on consumer-product naming, warranty terms, instructions for use, warnings, and product-property information.

Must be in Dutch:

• The user instructions and product information shipping with the product.
• The manufacturer contact details, wherever they appear.
• The end-of-support date disclosure shown at the point of purchase.
• Warranty terms and consumer-rights information that ships with the product.

Can be multilingual:

• The product label and CE marking.
• Packaging text.
• Online documentation, provided a Dutch version is reachable.

English is normally accepted for:

• B2B information between professional buyers where the parties have a stated working language.
• Internal technical documentation. RDI can still request a Dutch translation under reasoned request, so plan for that contingency.

Trademarks, customary scientific or technical terminology, and indications of product origin are exempt. The EU Declaration of Conformity may be drawn up in any EU official language. Frisian is co-official in Friesland, but the CRA does not require Frisian translation.

Selling cross-border from the Netherlands

Dutch manufacturers selling into Germany, Belgium, France, or any other EU Member State carry the same single-routing rule: your CRA reports still go to NCSC, because routing follows main establishment, not per-shipment destination. The language obligation does fan out per market. A product shipped into Germany needs German user-facing content, a product shipped into France needs French content. The Dutch-language pack does not cover those markets. Each receiving Member State's market-surveillance authority can also request your technical documentation in a language easily understood by that authority. Pre-stage the most-requested sections in a widely-used working language to absorb cross-border reasoned requests.

National funding programmes

The Dutch funding picture for CRA investment in 2026 has one large tax-credit programme, two SME innovation programmes, and a dedicated cybersecurity fund.

• WBSO (Wet Bevordering Speur- en Ontwikkelingswerk) is the R&D wage-cost tax credit administered by RVO. The 2026 budget is EUR 1.817 billion, with a 36% benefit on qualifying R&D wages up to EUR 391,020 (50% for starters). Security-by-design development, SBOM tooling, vulnerability-handling platforms, and CVD process design qualify when scoped as genuine R&D.
• MIT (MKB-Innovatiestimulering Regio en Topsectoren) funds SME innovation projects regionally, with feasibility studies and R&D-collaboration tracks in the EUR 20,000 to EUR 350,000 range.
• Innovation Box (Innovatiebox) is a reduced corporate-tax rate (effective 9%) on profits from qualifying innovation activities. It commonly stacks with WBSO.
• CIF-NL (Cybersecurity Innovation Fund) is the dedicated RVO subsidy line for cybersecurity-product innovation. The 2025-2026 call had a EUR 2.5 million envelope (EUR 60,000 to EUR 100,000 per project) focused on crypto-agility and accessibility. Applications closed on 10 February 2026. Watch RVO and the merged NCSC for follow-on calls.
• Dutch Herstel- en Veerkrachtplan (RRF) is in its closing NextGenerationEU window with execution due 31 August 2026 and final payment requests due 30 September 2026. It is not a viable planning vehicle for the 11 December 2027 CRA deadline.

For compliance investment dated against 11 December 2027, the realistic Dutch picture is WBSO plus MIT plus Innovation Box, with CIF-NL eligible for the genuinely innovative parts.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.