NIS2 & Cybersecurity Act

Compliance is no longer
a choice.

In April 2026 the Dutch Parliament approved the Cybersecurity Act (Cyberbeveiligingswet, "Cbw"). It transposes EU NIS2 into Dutch law and introduces personal liability for board members. This is the brief we wish every Dutch scale-up read in 2025.

The law

The law that changed everything.

NIS2 โ€” the EU's Network and Information Security Directive โ€” entered into force in January 2023, raising cybersecurity obligations across 18 sectors. Every member state was required to transpose it by October 2024. The Netherlands missed that deadline by 18 months.

In April 2026 the Dutch Parliament finally approved the Cybersecurity Act (Cyberbeveiligingswet, Cbw). The text closes the gap with Brussels but goes further: it codifies board-level accountability, 24-hour reporting, and direct oversight of managed service providers. The market gap between regulatory obligation and operational capability is exactly where Skales operates.

31%
of Dutch NIS2-in-scope organisations are fully compliant. Searchlab / NCSC โ†’
24h
mandatory window to report a significant incident to the national authority under the Cbw.
+60%
increase in ransomware attacks targeting European organisations in 2024. Industry Today โ†’
18mo
How long the Netherlands missed the EU NIS2 transposition deadline โ€” enforcement is now active.

The bottom line: most Dutch companies are out of compliance, enforcement is now active, and the clock has been running since April 2026.

Timeline

How we got here.

Jan 2023

NIS2 enters into force EU-wide

Replaces the original NIS Directive. Expands scope to 18 sectors and raises the security & governance bar for all member states.

Oct 2024

Netherlands misses transposition deadline

National implementation does not arrive on time. In-scope companies are left in regulatory limbo.

May 2025

European Commission sends formal warning

Infringement procedure opened against the Netherlands and several other member states for non-transposition.

Apr 2026

Dutch Parliament approves Cybersecurity Act

Cyberbeveiligingswet (Cbw) is voted through. The Dutch transposition of NIS2 โ€” with personal board liability โ€” becomes law.

Q2 2026 ยท Now

Act expected in force

National authority begins active oversight. Notification duties, registration and audit obligations apply.

Scope

Who is in scope.

Essential sectors
  • ยท Banking & finance
  • ยท Energy
  • ยท Transport
  • ยท Healthcare
  • ยท Digital infrastructure
  • ยท Public administration
Important sectors
  • ยท Postal & courier
  • ยท Waste management
  • ยท Food production
  • ยท Manufacturing
  • ยท Online marketplaces
  • ยท Research
Size threshold

50+ employees
or โ‚ฌ10M+ turnover

Any organisation in an in-scope sector that crosses these thresholds is automatically covered by the Cbw.

MSPs & suppliers

MSPs are directly in scope.

Managed service providers โ€” including IT outsourcing partners โ€” fall directly under the Act. If your IT partner isn't compliant, neither are you.

Obligations

What the law actually requires.

01

Risk assessment & duty of care

Document, maintain and continuously update a cyber risk assessment proportionate to the size and exposure of the organisation. The "duty of care" is the legal anchor for everything else.

Technical
02

Board-level governance & personal liability

The management board is legally responsible for cyber risk governance. Failure to oversee can trigger personal liability โ€” fines and reputational sanctions land on individuals, not only the legal entity.

Governance
03

Incident reporting within 24 hours

Significant incidents must be reported to the national authority within 24 hours of detection, followed by a detailed report within 72 hours. Late notifications are themselves a violation.

Regulatory
04

Supply chain security

Organisations are accountable for the cyber posture of their critical suppliers โ€” IT vendors, SaaS, MSPs. Contracts must reflect this, and evidence must be retained.

Operational
05

Identity, access & authentication controls

MFA, least privilege and access certification are no longer best practice โ€” they are baseline. Identity governance becomes the central control plane of compliance.

Technical
06

Registration with the national authority

In-scope organisations must register with the designated Dutch competent authority and keep their contact and exposure information current. Non-registration is itself a sanctionable offence.

Regulatory
What we do about it

How Skales helps.

Assessment

Compliance baseline assessment

Two-week gap analysis mapped directly to NIS2 / Cbw articles. You leave with a prioritised, costed remediation plan.

Architecture

Identity & access control architecture

Okta or JumpCloud designed for IGA from day one. SSO, MFA, role-based access, joiner-mover-leaver controls.

Evidence

Compliance evidence package

Pre-built control mappings, screenshots, policies and reports โ€” ready for auditors, investors and the regulator.

Response

Incident response readiness

Tested runbooks for the 24-hour reporting window, with a documented forensic chain of custody.

Monitoring

Continuous monitoring & access reviews

Quarterly access certifications, anomaly detection and SaaS discovery โ€” compliance becomes a steady state.

Shared responsibility

Our boundary lines. Clearly drawn.

Compliance isn't a one-team show. We split the heavy lifting so there are no grey areas when the auditor arrives.

โœ“

The Skales Responsibility

We take 100% technical ownership of your employee workplace, device and identity layer.

โ—ˆ
Endpoint Security

Fully managed macOS / iOS fleets. FileVault, OS patching, firewalls, remote-wipe. Real-time compliance dashboards.

โ—ˆ
Identity & Access

Centralised IDP management. Phishing-resistant MFA, SSO, role-based scoping. Automated provisioning logs.

โ—ˆ
Lifecycle Automation

Instant account de-provisioning the moment HR offboards. Tamper-proof timestamp logs showing immediate access revocation.

โ—ˆ
SaaS Tenant Hardening

Google Workspace / M365 settings, DKIM / SPF / DMARC, data retention. Exportable baseline posture reports.

โ—ˆ
Access Governance

System access matrices for quarterly reviews. Downloadable active-user logs ready for auditor sign-off.

ร—

Your Team's Responsibility

You retain ownership of business operations and corporate governance. Clean lines, no ambiguity.

โ€”
Production & Cloud Infrastructure

We do not configure or secure your AWS, GCP or Azure environments, or audit your source code repositories.

โ€”
Corporate Policies & Governance

We give you the technical evidence. We do not write your ISMS, Business Continuity plans, or disaster recovery policies.

โ€”
HR & Physical Security

We automate technical onboarding. Background checks, NDA signing, office keycard access and CCTV remain your HR team's responsibility.

โ€”
24/7 SOC & Regulatory Reporting

We are not a 24/7 SOC. If an incident occurs, we provide the technical logs โ€” but the obligation to report to the Autoriteit Persoonsgegevens within 24h stays with you.

The result: Enterprise-grade IT compliance without distracting your team from building your product.

Get clear on scope

Find out where you stand.

A 60-minute call. We tell you whether the Cbw applies, what's missing, and how long it takes to fix.

Book a IT maturity assessment โ†’