The Dutch Cybersecurity Act (Cyberbeveiligingswet) is the national implementation of the European NIS2 directive. This law requires organizations in essential and important sectors to strengthen their digital resilience. Through mandatory risk assessments, incident reporting, and registration, it enables both government and businesses to better manage cyber threats. It is a response to the growing risk of cyberattacks and helps prevent societal disruption caused by digital incidents.

What does the Act cover?

The Cybersecurity Act replaces the existing Network and Information Systems Security Act (Wbni) and significantly expands its scope. Organizations covered by the Act are classified as:

• Essential entities – such as energy providers, telecom operators, water companies, hospitals.
• Important entities – including digital service providers, transportation companies, and manufacturers in key supply chains.

The law applies to medium and large organizations (from 250 employees or €50 million in revenue), but smaller firms may also be included depending on their societal relevance.

Key obligations

Organizations under the Act must comply with three core requirements:

• Security obligation: Conduct a risk assessment and implement appropriate technical and organizational measures.
• Notification obligation: Report significant ICT incidents within 24 hours to the national CSIRT and relevant authorities.
• Registration obligation: Register in the NIS2 entity register with contact and sector details.

Supervisory bodies will oversee compliance, and non-compliance may result in fines or enforcement measures.

When does the Act take effect?

While the NIS2 directive became effective on 17 October 2024, the Dutch Cybersecurity Act is expected to come into force in Q3 or Q4 of 2025. In the meantime, voluntary registration is encouraged.

RiskStudio and the Cybersecurity Act

RiskStudio supports organizations in both preparing for and complying with the Cybersecurity Act. Our platform provides insight into digital risks within your organization and throughout your supply chain. You can see which suppliers may fall under NIS2, what risks they pose, and what actions are needed.

With features like cyber ratings, real-time alerts on vulnerabilities and incidents, and the ability to structure suppliers by critical assets or business units, RiskStudio enables you to take action. It’s not just about compliance—it’s about control, visibility, and resilience across your digital ecosystem.