Yesterday, the House of Representatives approved the Cyber Security Act.
That sounds like news. But the real question is: what does this mean for you in practice?

In a nutshell:
The Cbw is the Dutch implementation of the European NIS2 Directive.
More than 8,000 organisations will soon be subject to stricter obligations.
Three obligations stand out:
👉 Duty of care: demonstrably having your security in order
👉 Reporting obligation: reporting significant incidents within 24 hours
👉 Board responsibility: cybersecurity becomes a board responsibility, with potential personal liability

The bill now goes to the Senate. The government aims for it to come into force in Q2 2026. Once the law comes into force, the obligations apply immediately.
No transition period.

What we are seeing in practice: many organisations are still waiting.
They underestimate the lead time for a NIS2 process.

Carrying out risk analyses, setting up governance, assessing supply chains, adapting processes. That takes months, not weeks.
Organisations that start now have a realistic chance of being compliant in time.

Those who wait until the law comes into force will start at a disadvantage.
One concrete step you can take today: check whether your organisation falls under the Cbw using the government’s self-assessment tool.
It takes five minutes and provides immediate clarity.