On 1 July 2026, the Dutch Cybersecurity Act enters into force, the national implementation of the European NIS2 directive. The law obliges organisations in critical sectors to demonstrate a minimum level of cybersecurity, with registration requirements, incident reporting obligations and a board-level duty of care. But SMEs that are not directly in scope will also be affected. Here is what you need to know.
After years of preparation and delay, the Dutch Cybersecurity Act is expected to take effect on 1 July 2026. The law is the national translation of the European NIS2 directive, which significantly raises the bar for cybersecurity across the EU. Where the original NIS directive from 2016 had a limited scope, NIS2 is considerably broader.
The core of the law is straightforward: organisations in critical and important sectors must be able to demonstrate that they take their digital resilience seriously. That they know what risks they face, that they have taken appropriate measures and that they report incidents promptly. Those who cannot demonstrate this risk fines and liability at board level.
The Cybersecurity Act distinguishes between essential entities and important entities. Essential entities are large organisations in sectors such as energy, transport, water, finance, healthcare, digital infrastructure and government services. Important entities are medium-sized organisations in the same and related sectors, supplemented by postal and courier services, waste management, chemicals and the food industry.
The threshold for direct applicability is organisations with at least fifty employees or an annual turnover exceeding ten million euros, operating in the named sectors. Smaller organisations fall outside the direct scope in principle, but that does not mean they can ignore the law.
The Cybersecurity Act introduces chain responsibility. Organisations directly under the law are required to assess and safeguard the cybersecurity of their suppliers and service providers. This means that a large hospital, an energy company or a government institution will henceforth set higher requirements for their IT suppliers, software vendors and other partners in their chain, regardless of the size of those partners.
For SMEs supplying sectors that fall under NIS2, the practical message is clear: expect your clients to ask about your security measures, incident procedures and patch management. Those who cannot provide a good answer risk being excluded or replaced by a party that can.
The law has three main obligations for in-scope organisations. First, a registration requirement: organisations must register in an entity register maintained by the competent supervisory authority. Second, an incident reporting obligation: significant incidents must be reported within 24 hours to the Computer Security Incident Response Team and the supervising authority. Third, a duty of care: organisations must take appropriate and proportionate technical and organisational measures based on a risk analysis.
The NCSC describes ten minimum measures that form part of the duty of care: conducting a risk analysis and establishing an information security policy, a business continuity and recovery plan, access and authorisation management, the use of multi-factor authentication, supply chain security, the use of encryption for sensitive data, employee security awareness training, keeping systems up to date through patch and update management, procedures for reporting and handling incidents, and securing the procurement, development and maintenance of network and information systems.
The change is that these measures must now be demonstrable. Documentation, policy and proof of implementation therefore become more central, not less important.
The Cybersecurity Act has substantial enforcement powers. For essential entities, maximum fines can reach 10 million euros or two percent of global annual turnover. For important entities the maxima are 7 million euros or 1.4 percent of turnover. The law also introduces personal liability for directors who have been demonstrably negligent in their supervisory role on cybersecurity. Cybersecurity is no longer a technical subject that can be delegated to the IT department — it has become a board-level responsibility.
The NCSC explicitly advises organisations not to wait for the law to enter into force. The risks exist now, and starting early allows measures to be implemented carefully rather than under time pressure.
A practical first step is a gap analysis: where does your organisation stand relative to the ten duty-of-care measures, and what is still missing? You then draw up a priority list and start with the measures that deliver the greatest risk reduction.
Zarioh helps SME organisations map their security posture in the context of the Cybersecurity Act and implement the measures needed to meet both the law and the requirements of clients. Get in touch for a no-obligation conversation about your situation.
