The die is cast: the House of Representatives has approved the Cybersecurity Act. This law is the Dutch implementation of the European NIS2 Directive and obliges thousands of organizations to structurally organize their digital resilience. This decision marks a major turning point, as cybersecurity has definitively shifted from an optional IT topic to a firm administrative responsibility and legal requirement.
But what does this law truly mean for your organization, and specifically for the way you interact with suppliers?
Administrative responsibility and a strict duty of care
The new Cybersecurity Act leaves little room for interpretation. Directors and management are explicitly held responsible for taking appropriate security measures and managing digital risks. Additionally, the law introduces a strict reporting obligation: in the event of a serious cyber incident, an initial warning must be issued to the competent authority within 24 hours.
Chain security is no longer a choice
One of the most impactful parts of this legislation is the explicit focus on supply chain security. The Dutch Authority for Digital Infrastructure (RDI), designated as the regulator, is crystal clear on this: organizations remain responsible for the risks that enter the organization through their suppliers and service providers.
You must have insight into who your suppliers are, what risks they bring, and you must be able to demonstrate that you are actively managing these risks. Without this insight, you simply do not meet the legal duty of care.
Paper policies and questionnaires fall short
Supervision under the Cybersecurity Act will not be satisfied with an annually completed questionnaire. The RDI emphasizes that policy alone is insufficient and that organizations must continuously monitor their suppliers. Because threats, vulnerabilities, and digital dependencies change every day, continuous monitoring is necessary to adjust in time and provide accountability. Supplier management must shift from blind trust to up-to-date verifiability.
Get a grip on NIS2 with RiskStudio
The requirements from the coalition agreement and the Cybersecurity Act demand scalable, practical tools. RiskStudio helps organizations by replacing traditional, static questionnaires with a continuous, automated flow of information.
With our ‘outside-in’ approach, we monitor the digital footprint, vulnerabilities, and current incidents of your entire supplier ecosystem 24/7, without being dependent on their willingness to share data. This allows you to immediately identify which suppliers pose a risk and quickly detect incidents, which is essential to demonstrate that you have your supply chain under control according to NIS2 guidelines.
Time for action
The agreement in the House of Representatives confirms that waiting is no longer an option. Organizations that start structurally implementing supplier monitoring and governance now are not only building compliance but creating a more resilient organization.
Ensure you stay ahead. Want to know how your organization can take the first steps toward a NIS2-compliant supply chain in 60 minutes? Discover it today with RiskStudio.
