What does the Cybersecurity Act entail?
The Cybersecurity Act is designed to enhance the digital resilience of organizations. The law must, among other things, require companies to take measures against cybersecurity risks and to report significant incidents to the government.
The law distinguishes between essential and important entities, based on sector and size of the organization. This distinction determines, among other things, the applicable supervisory regime.
Impact on Dutch organizations
It is estimated that over 8,000 organizations will fall under the scope of the Cybersecurity Act. This includes sectors such as energy, transport, healthcare, digital infrastructure, and financial services. For these organizations, the law means a significant expansion of their obligations in the field of cybersecurity.
Executives of these entities will have specific responsibilities, including approving security measures and overseeing their implementation. Additionally, they must have sufficient knowledge of cybersecurity risks. raadvanstate.nl
Expected Entry into Force and Political Context
Although the original plan aimed for entry into force in the third quarter of 2025, this has proven unfeasible due to recent political developments, including the fall of the cabinet on June 3, 2025. Caretaker Minister Van Weel (Justice and Security) now hopes that the law will come into effect in the second quarter of 2026.
The consideration of the draft law by the House of Representatives Committee on Digital Affairs is scheduled for June 18, 2025. Although it is unlikely that the law will be declared controversial, this process may affect further progress.
Preparation is Essential
Despite the delay in legislation, it is important for organizations to prepare in a timely manner for the upcoming obligations. The risks that organizations face are already present. The Dutch government therefore urges organizations to prepare for the arrival of these laws and the underlying regulations. They are also taking steps for this; on the NCSC website, a detailed action plan can be found.
Cybersecurity Act Focuses on the Future
The Cybersecurity Act marks an important step in strengthening the digital resilience of the Netherlands. For organizations, this means an expansion of responsibilities and obligations in the field of cybersecurity. It is essential that organizations proactively prepare for the upcoming changes to meet the new requirements and to protect their digital infrastructure against increasing cyber threats.
