The Cybersecurity Act (Cbw): what does the Dutch NIS2 law mean for your organisation?

Compliance9 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The European NIS2 directive has been in force since October 2024. Every EU member state must translate this directive into national legislation. In the Netherlands, that is the Cyberbeveiligingswet (the Dutch Cybersecurity Act, or Cbw). On 15 April 2026, the House of Representatives adopted the law. The expected entry into force is 1 July 2026. For organisations that fall under the law, this is the moment to get to work in concrete terms.

This article describes what the Cybersecurity Act entails, who falls under it, which obligations the law imposes, and what you need to do now to be prepared.

What is the Cybersecurity Act?

The Cybersecurity Act (Cbw) is the Dutch implementation of the European NIS2 directive. Where NIS2 sets out the European framework, the Cbw translates that into concrete Dutch law. The law replaces the current Network and Information Systems Security Act (Wbni) and expands the scope considerably. More sectors, more organisations and stricter requirements.

The aim of the law is clear: to increase the digital resilience of the Netherlands. Cyber incidents affect not only individual organisations but can disrupt entire chains and sectors. The Cbw therefore imposes minimum security requirements on organisations that play an important role in the economy and society.

Who falls under it?

The Cbw distinguishes two categories of organisations: essential and important. Essential are organisations in sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure, management of ICT services (B2B), government and space. Important are organisations in sectors such as postal and courier services, waste management, the chemical industry, food, the manufacture of certain products (medical devices, electronics, machinery, motor vehicles), digital providers and research organisations.

In total, this concerns eighteen sectors. The threshold is a size of more than 50 employees or more than 10 million euros in annual turnover. But smaller organisations can also fall under the law if they fulfil a critical role in a chain. Consider a small IT service provider that is essential for the operation of a hospital or energy company.

An important difference from the current Wbni is that organisations must assess for themselves whether they fall under the Cbw. There is no longer a designation procedure. The law works on the basis of self-identification.

The three core obligations

The Cbw imposes three main obligations: the registration obligation, the duty of care and the reporting obligation.

Registration obligation

Organisations that fall under the Cbw must register with the National Cyber Security Centre (NCSC). This is an active obligation: you do not wait until you are designated, but you register yourself. The registration includes basic information about your organisation, your sector, your contact details and the services you provide. The registration obligation applies from the entry into force of the law.

Duty of care

The duty of care is the core of the law. Organisations must take appropriate and proportionate technical, operational and organisational measures to manage the risks to their network and information systems. The law lists ten categories of measures, which largely correspond to Article 21 of NIS2:

A policy on risk analysis and information system security. Incident handling. Business continuity, such as backup management, emergency provisions and crisis management. Supply chain security. Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure. Policies and procedures to assess the effectiveness of measures. Basic cyber hygiene practices and cybersecurity training. Policies and procedures regarding the use of cryptography and, where appropriate, encryption. Security aspects concerning personnel, access control policies and asset management. The use of multi-factor authentication, secured communication and, where appropriate, secured emergency communication.

The phrase appropriate and proportionate is crucial. The law does not expect a one-size-fits-all approach, but measures that fit the size, risk profile and nature of the organisation. A hospital needs different measures than a logistics company. But both must be able to demonstrate that they know and manage their risks.

Reporting obligation

Significant incidents must be reported to the NCSC. The law applies a phased reporting structure. Within 24 hours of discovering a significant incident, an early warning must be issued. Within 72 hours, an incident report follows with an initial assessment of the nature, severity and impact. Within one month of the report, a final report must be submitted with a detailed description of the incident, the cause, the measures taken and the cross-border impact.

An incident is significant if it can cause a considerable operational disruption of the service or financial losses for the entity concerned, or if it can affect other natural or legal persons by causing considerable material or non-material damage.

Supervision and enforcement

The Dutch Authority for Digital Infrastructure (RDI) will become the primary supervisor for the Cbw. In addition, there are sector-specific supervisors that oversee their own sector. The Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB) remain responsible for the financial sector, where DORA also applies.

Supervision is risk-based. Essential entities are checked proactively, even without a concrete reason. Important entities are checked reactively, usually in response to an incident, report or signal.

Supervisors receive broad powers: carrying out audits, requesting information, issuing binding instructions and imposing sanctions.

Fines

The sanctions are substantial. For essential entities, a maximum fine of 10 million euros or 2% of global annual turnover applies, whichever amount is higher. For important entities, that is 7 million euros or 1.4% of global annual turnover.

Management liability

One of the most far-reaching aspects of the Cbw is management liability. Directors and supervisors of organisations that fall under the law can be held personally liable for failing to comply with the duty of care. This means that cybersecurity is no longer just an IT topic, but a management responsibility. Directors must approve the cybersecurity measures, oversee the implementation and follow relevant cybersecurity training.

Overlap with existing frameworks

Organisations that already work with ISO 27001, SOC 2, the BIO or DORA have a head start. The ten measures from the Cbw largely overlap with the controls from these frameworks. But there are specific additions that require attention.

The reporting obligation with the phased structure of 24 hours, 72 hours and one month is more specific than what most frameworks prescribe. The supply chain responsibility goes further than a standard supplier policy. And management liability is new for many organisations.

In practice, we see that organisations with an existing ISMS become compliant the fastest. The ISMS provides the foundation; the Cbw-specific requirements are implemented as an addition.

What should you do now?

Determine whether you fall under the Cbw. Assess your sector, size and role in the chain. When in doubt, err on the side of caution and assume that you fall under it.

Carry out a gap analysis. Compare your current security measures with the ten measures from the law. Identify where you already comply and where action is needed.

Set up the reporting procedure. Ensure you have a process to detect significant incidents and report them to the NCSC within the legal deadlines.

Involve the board. Ensure that directors understand what their responsibility is under the Cbw. Plan cybersecurity training for the board and document the governance.

Map your chain. Take inventory of your suppliers and the security measures assigned to them. Adjust contracts where necessary.

Register with the NCSC. As soon as the registration portal is available, register your organisation.

Start today

The Cbw is not a distant prospect. The law has been adopted and its entry into force is approaching. Organisations that start preparing now have sufficient time to get their affairs in order. Organisations that wait risk not only fines but also reputational damage and management liability.

Secure Audit helps organisations determine their Cbw scope, carry out gap analyses and implement the required measures. From registration and risk analysis to reporting procedures and board training. Get in touch for a Cbw readiness assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us