The House of Representatives has passed the Cybersecurity Act.
Nine days ago, on 15 April.
The Senate is next. Entry into force: Q2 2026.

But here lies the point that many organisations have not yet fully grasped: under the Cybersecurity Act, cybersecurity explicitly becomes a board responsibility.

Board members can be held personally liable.
Not the CISO. Not IT. The board.

And what will that director do when the regulator comes calling?
They don’t want a PowerPoint with green ticks. They want to see that risks, measures and ownership have been documented in a traceable manner.

That decisions are substantiated.
That there is an ongoing process, not just an annual refresher.

In most organisations I speak to, that information does exist.
Scattered across four or five systems, with an ISO coordinator manually keeping it all together.

That works, until someone asks probing questions about a specific measure. Then it becomes clear how much relies on personal knowledge.

IRM360 makes that coherence structural. Risks, measures, burden of proof and regulatory compliance in a single PDCA cycle, so that demonstrability is not a project but a by-product of how you work.

The Cbw is no longer a distant prospect. The question is not whether you fall under its scope, but whether you can demonstrate that you have it under control.