Prepare for the new cybersecurity regulations
- The basis
- Edited 15 July 2025
- 3 min
- Managing and growing
- Secure business
New, stricter rules for digital security are coming. These are based on the European Network and Information Security Directive (NIS2). The rules should ensure that digital attacks do not bring society to a standstill. Many companies and organisations, both large and small, will have to deal with the new law. Find out what it is and what you need to do to be ready for it.
Cyber Magazine SECURE IT!
Cyber magazine SECURE IT! contains tips and information on how to secure your business online.
What is the Cybersecurity Act?
The Cybersecurity Act (Cyberbeveiligingswet, CBW, in Dutch) is a new Dutch law that requires companies to properly secure their digital systems. With good security, they are better able to deal with threats posed by cyber criminals such as DDoS attacks. The CBW is the Dutch implementation of the European NIS2 . This came into effect on 17 October 2024 as the successor to the NIS directive.
When will the Cybersecurity Act take effect?
The Cybersecurity Act is likely to take effect in the second quarter of 2026. This article will be updated when more information is known about the date. The law has already been delayed several times, as the drafting of the NIS2 into the CBW is taking longer than expected. Do not wait for the law to apply. Prepare for the new rules now.
Even if the law does not apply to you, you may have to deal with the stricter cybersecurity requirements.
Who does the Cybersecurity Act apply to?Â
The CBW applies to organisations and companies in sectors that are important to the Netherlands. For example, energy companies, hospitals, or banks. These types of organisations belong to what are called critical sectors. If, for example, an energy company goes down due to a cyberattack, it is immediately a big problem for the country. Usually these are large or medium-sized companies with at least 50 employees and an annual turnover of more than €10 million. But the Cybersecurity Act can also apply to small and micro companies. And even if the law does not apply to you, you may have to deal with the stricter cybersecurity requirements.
Use the NIS2 self-assessment  (in Dutch) to check whether your company is likely to fall under the CBW.
Small businesses
The government minister responsible for your sector may decide that your small business does fall under the CBW. For example, because you provide a service that is important to the Dutch economy or society. If this is the case, you will be informed.Â
Some small companies always fall under the Cybersecurity (in Dutch). For example, trust service providers, top-level domain name registries, and domain name registration service providers. The number of employees or your annual turnover are not relevant.
Are you a supplier for a CBW company? Then you must prove that your company's cybersecurity is in order.
Be prepared
Do not wait for the CBW to take effect to make sure you are ready. It takes time to comply with the regulations. Check what you need to do if you are subject to the CBW yourself, or if you are a supplier to a CBW company. And keep in mind that the proposed rules may still change.
The Cybersecurity Act applies to my company
If your company falls under the CBW, the following applies to you:
- Registration requirement. You must register with the National Cyber Security (NCSC, in Dutch) as a CBW company.
- Duty of care. You need to identify the risks your business faces. This determines what measures you must take for your digital . For example, taking training courses and making backups. It also includes the cybersecurity of your supply chain.
- Duty to report. Does something, such as a cyberattack, stop your CBW business activities? If so, you must report this to the NCSC within 24 (in Dutch).
- Supervision. There are organisations authorised to check whether you comply with the rules as a CBW company. Not all of these supervisory bodies are yet known, but they include, for example, the Dutch Authority for Digital (RDI) for ICT companies. Or the Human Environment and Transport (ILT) for transport companies.
I am a supplier for a CBW company
Do you supply a product or service to a company or organisation covered by the Cybersecurity Act? Then that company is required to check that your cybersecurity is in order, to ensure that their supply chain is digitally secure. Requirements may differ between CBW companies, so discuss this with them. You can, for example, expect the following questions about your cybersecurity:
- Do you follow official information security rules such as ISO ?
- Have you set out in writing how you deal with risks from digital threats?
- Do you use two-step authentication (2FA) for all your accounts?
- Do all your systems receive regular security updates?
- Is antivirus software running on all your systems?
- How quickly do you report a cyber-attack or security breach to your customers?
- Who checks your digital security, and how often?
- Do you regularly back up important company data?
- Do you have a business continuity plan (BCP)?
- Do your employees attend cybersecurity training?
- Do you ever commission a pen test to test your cybersecurity?
- Do you take measures to prevent phishing?
Read more about the requirements of the European NIS2 and about .
Â
