
On 7 July, the Dutch Senate approved the Cyberbeveiligingswet (Cbw), the Dutch implementation of the NIS2 Directive, and the Critical Entities Resilience Act (Wwke), which implements the European Critical Entities Resilience (CER) Directive. This marks an important milestone in strengthening the Netherlands’ digital and physical resilience against growing cyber and security threats.
Both laws will enter into force on 15 August 2026. From that date, more than 8,000 organisations across the Netherlands, including ministries, municipalities, water authorities, provinces, independent administrative bodies and inter-municipal partnerships, will be required to comply with the new cybersecurity standards.
Furthermore, organisations subject to the Wwke will be formally designated as critical entities from 15 August. Read more about the Critical Entities Resilience Act (Wwke) (Dutch).
What are the implications of the Cyberbeveiligingswet for organisations?
Organisations subject to the Cyberbeveiligingswet (Cbw) must comply with several new legal requirements:
-
Register with the National Cyber Security Centre
Organisations must register in the Entities Register through the National Cyber Security Centre (NCSC). Preparing in advance is recommended to ensure a smooth registration process. Once registered, organisations can connect to the services of their designated Cyber Security Incident Response Team (CSIRT). CSIRTs provide threat information, practical guidance and incident support to help organisations strengthen their cyber resilience. Register here if your organisation is subject to the Cbw (Dutch)
-
Implement appropriate cybersecurity measures
Organisations are required to implement appropriate technical, operational and organisational measures to manage risks to their network and information systems. They must also prevent incidents where possible and minimise their impact if they occur. For public sector organisations, compliance with the Baseline Information Security Government (BIO) 2 is an important part of meeting these requirements.
-
Report major cybersecurity incidents
Major cybersecurity incidents must be reported to both the relevant CSIRT and the competent supervisory authority within the statutory reporting deadlines via the designated reporting portal. Report incidents here (Dutch).
-
Strengthen board-level responsibility
Ultimate responsibility for managing cyber risks rests with the organisation’s governing body. Board members must have sufficient knowledge (Dutch) to oversee cybersecurity risks and the effectiveness of security measures, and they are required to undertake appropriate training.
-
Supervision and enforcement
Compliance with the Cbw will be monitored by the designated supervisory authorities, including the Dutch Authority for Digital Infrastructure. These authorities are responsible for overseeing compliance and, where necessary, enforcing the legal requirements.



