What changes with the Cyberbeveiligingswet in mid-2026?
The Cyberbeveiligingswet is the NL transposition of NIS2. Entry into force is planned for the second half of 2026 per current plans. Four things change for in-scope mid-sized firms: registration, duty of care, reporting, board liability.
Try this first
- 1Registration: in-scope firms must register with the Dutch supervisor (sector dependent: RDI, IL&T, NZa, etc). Without registration you have no clarity on your obligations.
- 2Duty of care: appropriate technical and organisational measures. Risk analysis, incident response, supply-chain assessment, MFA, backup, awareness. Levels differ for essential vs important.
- 3Reporting: a significant incident requires an early warning to CSIRT within 24h, an incident notification within 72h, a final report within a month. Tight timelines.
- 4Board liability: directors are personally liable for follow-through on NIS2 and the Cyberbeveiligingswet. No more "leave it to IT". Board training is explicitly expected.
When to bring us in
The exact entry-into-force date and which supervisor covers which sector is not all final at time of writing. Follow the Digital Trust Center for current dates and guidance, we track it too.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.