On Wednesday, 15 April, the House of Representatives adopted the legislative proposal for the Cybersecurity Act. The bill will now be considered by the Senate. The Cybersecurity Act is expected to enter into force in Q2 2026. This means that organisations falling within its scope must comply with all statutory obligations from that moment onwards. It is therefore advisable to take action now and conduct a final review to assess which matters may need to be addressed (with urgency) in the coming months.
The Cybersecurity Act introduces a range of obligations. In broad terms, these consist of a duty of care, a notification obligation, various governance requirements (including training obligations and risk management duties), and a registration obligation.
Like the GDPR and the AI Act, the Cybersecurity Act is risk-based in nature. The key requirement is therefore that you assess whether you have visibility over all IT and OT risks within your organisation. Have all your systems and suppliers been fully mapped? Have risk assessments been carried out? And have plans been developed to mitigate high risks? If so, you are well on your way. It is also essential that the management body is able to adequately oversee this process. Not at a detailed operational level, but sufficiently to remain informed about the risks present, determine risk appetite, and make decisions on necessary mitigating measures.
In addition, it is important that the required policy documents within your organisation have been drafted, adopted, and implemented, and that supporting processes are actually functioning (such as the business continuity plan or the incident reporting process). From a practical perspective, this also means ensuring that appropriate technical and organisational measures have been implemented to secure your IT and OT systems. This includes basic cyber hygiene measures, amendments or additions to contractual arrangements, and appropriate measures relating to personnel.
Do not overlook the mandatory training for directors and the obligation to register your organisation. These are “quick wins” with a clear black-and-white character: your organisation either complies with these legal requirements or it does not. For that reason alone, it is advisable to complete these steps in the short term.
Do you still have outstanding actions, or are you unsure where to begin? A useful step-by-step guide is available on the Dutch central government website. We are also, of course, happy to assist you further. Please feel free to contact us.
P.S. Unsure whether your organisation falls within the scope of the Cybersecurity Act? Please consult the information provided by the NCSC and/or the Dutch government’s NIS2 self-assessment tool, and do not hesitate to contact us if you have any questions.
Would you like a monthly overview of updates and blog posts in your inbox? Subscribe to our newsletter!
