In April 2026 the Dutch Parliament approved the Cybersecurity Act (Cyberbeveiligingswet, "Cbw"). It transposes EU NIS2 into Dutch law and introduces personal liability for board members. This is the brief we wish every Dutch scale-up read in 2025.
NIS2 — the EU's Network and Information Security Directive — entered into force in January 2023, raising cybersecurity obligations across 18 sectors. Every member state was required to transpose it by October 2024. The Netherlands missed that deadline by 18 months.
In April 2026 the Dutch Parliament finally approved the Cybersecurity Act (Cyberbeveiligingswet, Cbw). The text closes the gap with Brussels but goes further: it codifies board-level accountability, 24-hour reporting, and direct oversight of managed service providers. The market gap between regulatory obligation and operational capability is exactly where Skales operates.
The bottom line: most companies are out of compliance, half don't know it, and the clock is now running publicly.
Replaces the original NIS Directive. Expands scope to 18 sectors and raises the security & governance bar for all member states.
National implementation does not arrive on time. In-scope companies are left in regulatory limbo.
Infringement procedure opened against the Netherlands and several other member states for non-transposition.
Cyberbeveiligingswet (Cbw) is voted through. The Dutch transposition of NIS2 — with personal board liability — becomes law.
National authority begins active oversight. Notification duties, registration and audit obligations apply.
Any organisation in an in-scope sector that crosses these thresholds is automatically covered by the Cbw.
Managed service providers — including IT outsourcing partners — fall directly under the Act. If your IT partner isn't compliant, neither are you.
Document, maintain and continuously update a cyber risk assessment proportionate to the size and exposure of the organisation. The "duty of care" is the legal anchor for everything else.
The management board is legally responsible for cyber risk governance. Failure to oversee can trigger personal liability — fines and reputational sanctions land on individuals, not only the legal entity.
Significant incidents must be reported to the national authority within 24 hours of detection, followed by a detailed report within 72 hours. Late notifications are themselves a violation.
Organisations are accountable for the cyber posture of their critical suppliers — IT vendors, SaaS, MSPs. Contracts must reflect this, and evidence must be retained.
MFA, least privilege and access certification are no longer best practice — they are baseline. Identity governance becomes the central control plane of compliance.
In-scope organisations must register with the designated Dutch competent authority and keep their contact and exposure information current. Non-registration is itself a sanctionable offence.
Two-week gap analysis mapped directly to NIS2 / Cbw articles. You leave with a prioritised, costed remediation plan.
Okta or JumpCloud designed for IGA from day one. SSO, MFA, role-based access, joiner-mover-leaver controls.
Pre-built control mappings, screenshots, policies and reports — ready for auditors, investors and the regulator.
Tested runbooks for the 24-hour reporting window, with a documented forensic chain of custody.
Quarterly access certifications, anomaly detection and SaaS discovery — compliance becomes a steady state.
A senior security voice in your board pack — translating the regulator's language into operational decisions.