Skip to main content

Cybersecurity Act finalized: effective August 15, 2026. What this means for your organization

Medewerker van Trust en Safety met een wit overhemd aan met een donkerblauw jasje eroverheen
Alan Lucas

News

As of August 15, 2026, the Dutch Cybersecurity Act (Cyberbeveiligingswet, Cbw) and the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten, Wwke) will take effect. With this, the Netherlands has transposed the European NIS2 and CER directives into national legislation, creating obligations for thousands of organizations. Digital resilience is no longer optional: cybersecurity, business continuity, incident handling and supplier risks must be demonstrably under control, and supervisory authorities will monitor compliance.

What is changing?

The Cybersecurity Act replaces the Network and Information Systems Security Act (Wbni) and applies to organizations that provide essential or important services in 18 sectors, including energy, drinking water, digital infrastructure, healthcare, government and transport. If your organization falls under the law, you will face four core obligations:

  • Registration obligation: you register your organization in the entity register through the National Cyber Security Centre (NCSC). After registration, you can use the services of the Computer Security Incident Response Team (CSIRT) for your sector. For most organizations, that is the NCSC. Think of threat information and support with security incidents.
  • Duty of care: you take appropriate measures to manage the risks to your network and information systems. From risk analysis and access management to backup, recovery and supply chain security.
  • Reporting obligation: you report significant incidents within strict deadlines: an early warning within 24 hours, a follow-up notification within 72 hours and a final report no later than one month after the first notification.
  • Management responsibility: management is ultimately responsible for cyber risk management. Board members must be able to assess risks and measures, and must follow appropriate training for this.

 

Important: organizations are responsible for assessing whether they fall under the law. The official self-assessment tool from the Dutch government helps with this. 

Even if you do not fall directly under the law yourself, tens of thousands of suppliers will still face the requirements through supplier assessments from customers that are subject to the Cbw. Cybersecurity becomes a condition for doing business.

What does this mean for Worldstream customers?

The new legislation requires organization-wide measures, from governance and training to technology. One service or supplier does not automatically make you compliant, and anyone who promises that deserves a critical look. What you can do is make sure the technical foundation of your resilience is demonstrably in order.

Five weeks may seem short, but the first steps are manageable. We will soon publish a practical checklist that helps you work step by step toward August 15.

More information about the legislation: https://www.ncsc.nl/nieuws/cbw-en-wwke-vanaf-15-augustus-2026-van-kracht