← Back to Resources

The Dutch CISO's Guide to the Cyberbeveiligingswet

Docket Team12 min read

The Cyberbeveiligingswet Is Coming. Are You Ready?

If you're a CISO or compliance lead at a Dutch organization, you've probably heard about the Cyberbeveiligingswet (Cbw) — the Dutch transposition of the EU's NIS2 Directive.

But between the legal jargon, political delays, and conflicting guidance, it's hard to know what actually matters for your day-to-day work.

This guide cuts through the noise. It explains what the Cbw requires, who it applies to, and — most importantly — what you should be doing right now to prepare.

No fluff. No legalese. Just practical guidance from one security professional to another.

What Is the Cyberbeveiligingswet?

The Cyberbeveiligingswet is the Netherlands' implementation of EU Directive 2022/2555, commonly known as NIS2. It replaces the existing Wet beveiliging netwerk- en informatiesystemen (Wbni), which implemented the original NIS Directive.

Where NIS1 applied to a narrow set of "operators of essential services," NIS2 (and therefore the Cbw) dramatically expands the scope — more sectors, more organizations, and more obligations.

Key facts:

  • The Cbw transposes NIS2 into Dutch law
  • It replaces the existing Wbni
  • Parliamentary debate is scheduled for March 2026
  • Expected to take effect in Q2–Q3 2026
  • Applies to both "essential" and "important" entities across 18 sectors

The Cbw isn't a suggestion. Once in force, it carries real enforcement mechanisms, including administrative fines, binding instructions from supervisory authorities, and personal accountability for management bodies.

Does the Cbw Apply to Your Organization?

The Cbw applies to organizations that operate in one of 18 designated sectors and meet certain size thresholds. The directive distinguishes between essential entities and important entities — the obligations are largely the same, but the supervision regime and penalty caps differ.

Essential Entities (Essentiële entiteiten)

These are organizations in sectors considered critical to society. They face proactive supervision and higher penalty caps (up to €10 million or 2% of global annual turnover).

Sectors include: Energy, Transport, Banking, Financial market infrastructure, Healthcare, Drinking water, Wastewater, Digital infrastructure, ICT service management (B2B), Public administration, Space.

Important Entities (Belangrijke entiteiten)

These face reactive supervision (typically investigated after an incident or complaint) and lower penalty caps (up to €7 million or 1.4% of global annual turnover).

Sectors include: Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital providers (online marketplaces, search engines, social networking platforms), Research.

Size Thresholds

Generally, the Cbw applies to organizations in these sectors that are:

  • Medium-sized or larger: 50+ employees, or annual turnover/balance sheet exceeding €10 million

Some entities are in scope regardless of size, including providers of DNS services, TLD name registries, trust service providers, and entities identified as critical by the government.

The Self-Assessment Obligation

Unlike many regulations, NIS2 (and the Cbw) places the responsibility on organizations to determine whether they fall within scope. There is no central registry you can check. You need to assess your own sector classification and size against the criteria.

If you're unsure whether your organization is in scope, assume it is and start preparing. The cost of preparation is far lower than the cost of being caught unprepared when the law takes effect.

What Does the Cbw Require?

The Cbw's obligations fall into two main categories: risk management measures (the "zorgplicht" or duty of care) and incident reporting.

The Zorgplicht: 10 Required Measures

Article 21 of NIS2 — transposed into the Cbw — requires organizations to implement "appropriate and proportionate" technical, operational, and organizational measures to manage cybersecurity risks. The directive specifies 10 categories of measures:

  1. Policies on risk analysis and information system security — You need documented policies governing how you identify, assess, and treat cybersecurity risks.

  2. Incident handling — Procedures for detecting, reporting, analyzing, and responding to security incidents.

  3. Business continuity and crisis management — Backup management, disaster recovery, and crisis management procedures for maintaining operations during and after an incident.

  4. Supply chain security — Security measures for your relationships with direct suppliers and service providers, including vulnerability management for third-party components.

  5. Security in network and information systems acquisition, development, and maintenance — Including vulnerability handling and disclosure.

  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures — You need to test and audit your own security measures regularly.

  7. Basic cyber hygiene practices and cybersecurity training — Security awareness training for staff, including management.

  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption — Documented approach to protecting data in transit and at rest.

  9. Human resources security, access control policies, and asset management — Managing who has access to what, and tracking your critical assets.

  10. Use of multi-factor authentication or continuous authentication solutions — Including secured voice, video, and text communications, and secured emergency communication systems where appropriate.

These aren't aspirational guidelines. They're legal requirements. Your organization needs to demonstrate — with evidence — that each of these areas is addressed.

Incident Reporting

The Cbw requires organizations to report significant cybersecurity incidents to their national CSIRT (NCSC-NL) following a three-stage timeline:

  • Early warning within 24 hours — A brief notification that a significant incident has occurred, including whether it's suspected to be malicious and whether it could have cross-border impact.

  • Incident notification within 72 hours — An updated assessment with initial findings, severity, impact, and indicators of compromise.

  • Final report within one month — A detailed report covering root cause, mitigation measures, and cross-border impact.

An incident is "significant" if it causes or is capable of causing severe operational disruption or financial loss, or considerable damage to other persons.

For a detailed guide on the 24-hour early warning process, see our companion resource: NIS2 Article 23: How to File a 24-Hour Early Warning.

Management Accountability

One of the most significant changes from NIS1 to NIS2: management bodies can be held personally accountable for ensuring cybersecurity risk management measures are implemented.

Under the Cbw, management must:

  • Approve the cybersecurity risk management measures
  • Oversee their implementation
  • Undergo cybersecurity training
  • Be liable for infringements

This means cybersecurity is no longer something the board can fully delegate to the IT department. The CISO's role becomes critical in bridging the gap between technical implementation and board-level oversight.

What You Should Be Doing Right Now

The Cbw hasn't taken effect yet, but that doesn't mean you should wait. Here's a practical prioritization for CISOs preparing their organizations:

Priority 1: Scope and Gap Assessment (Start immediately)

  • Confirm your organization is in scope. Assess your sector classification and size against the Cbw criteria. Document your reasoning.
  • Map your current state against the 10 zorgplicht measures. Identify which areas you already cover (even informally) and where the gaps are.
  • Identify your sectoral supervisor. Know who will oversee your organization once the Cbw takes effect (e.g., RDI for energy, IGJ for healthcare, ILT for transport, Agentschap Telecom for digital providers).

Priority 2: Incident Response Readiness (Q1–Q2 2026)

  • Register at mijn.ncsc.nl using your organization's eHerkenning credentials. Don't wait until you have an active incident to figure this out.
  • Establish or update your incident response procedure to include the 24h/72h/30-day reporting timeline.
  • Designate a reporting officer separate from your technical incident response lead.
  • Pre-draft your early warning template with organizational details already filled in.

Priority 3: Policy Documentation (Q2 2026)

  • Document your cybersecurity policies across all 10 zorgplicht categories. If you already have policies, review them against the specific NIS2/Cbw requirements.
  • Ensure policies are approved by management — this is an explicit requirement and demonstrates board-level oversight.
  • Establish an evidence trail. When the regulator asks to see your measures, you need more than a Word document on a shared drive. You need timestamped, attributed evidence of policy implementation, review, and updates.

Priority 4: Supply Chain and Third-Party Assessment (Q2–Q3 2026)

  • Review your critical supplier relationships. Identify which suppliers have access to your network or information systems.
  • Assess supplier security posture. This doesn't require a full audit of every vendor — start with the ones that could cause the most damage if compromised.
  • Include cybersecurity requirements in contracts. New and renewed contracts with critical suppliers should include security obligations aligned with the Cbw.

Priority 5: Training and Awareness (Ongoing)

  • Brief your management body on the Cbw's requirements and their personal accountability.
  • Implement or update cybersecurity awareness training for all staff.
  • Document training completion — this is evidence of compliance with the basic cyber hygiene requirement.

Common Questions

Q: The Cbw isn't in force yet. Why should I act now?

Because incident response readiness and policy documentation take months to build properly. If you wait until the law takes effect, you'll be scrambling to implement while already subject to enforcement. The organizations that prepared early will be in compliance from day one. The ones that waited will be racing to catch up under regulatory scrutiny.

Q: We're already ISO 27001 certified. Are we covered?

Partially. ISO 27001 provides a strong foundation, but NIS2/Cbw has specific requirements that go beyond what ISO 27001 typically covers — particularly around incident reporting timelines (24h/72h/30d), management accountability, supply chain security, and the specific 10-measure zorgplicht framework. Use your ISO 27001 framework as a starting point, but don't assume it's sufficient without a gap analysis.

Q: What about GDPR? How does this overlap?

NIS2 and GDPR are separate regimes with separate obligations. A cybersecurity incident that involves personal data may trigger both NIS2 reporting (to NCSC-NL within 24 hours) and GDPR breach notification (to the Autoriteit Persoonsgegevens within 72 hours). These are separate filings to separate authorities. Your incident response procedure should address both in parallel.

Q: We're a subsidiary of a larger group. Do we report individually?

It depends on your organizational structure. If your subsidiary is independently in scope (meets the sector and size criteria on its own), it has its own reporting obligation. If compliance is managed centrally by the parent organization, the parent may report on behalf of subsidiaries — but each in-scope entity needs to ensure its own obligations are met. Clarify this with your group structure and legal counsel.

Q: What are the penalties?

For essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4% of global annual turnover. Beyond fines, supervisory authorities can issue binding instructions, require specific remediation measures, and — in the case of essential entities — temporarily suspend certifications or authorizations.

The Bottom Line

The Cyberbeveiligingswet is not a theoretical future risk. It's a law that's about to take effect, with real enforcement mechanisms and real penalties. But it's also not an impossible compliance burden — especially if you start preparing now.

The organizations that treat this as an opportunity to strengthen their cybersecurity posture (rather than a box-ticking exercise) will be better protected and better positioned when the law takes effect.

Start with the basics: confirm your scope, assess your gaps, get your incident response ready, and document everything.

How Docket Helps

Docket is built specifically for NIS2 compliance — not retrofitted from a generic GRC platform.

  • Zorgplicht Dashboard maps your policies directly to the 10 Article 21 measures, showing your compliance posture at a glance
  • Incident Response Engine with the built-in 24h/72h/30d countdown and reportability decision tree
  • Evidence Vault with SHA-256 hashing and RFC 3161 timestamps — tamper-proof proof of your compliance activities
  • Policy Templates aligned to NIS2/Cbw requirements so you're not starting from a blank page
  • Audit-Ready Export that gives your supervisor exactly what they need, when they ask for it

Book a demo: dockethq.app

This guide reflects the NIS2 Directive (EU) 2022/2555 and the Dutch Cyberbeveiligingswet as proposed. Requirements may be subject to change following parliamentary debate and final adoption. This guide is provided for informational purposes and does not constitute legal advice. Consult your legal counsel for organization-specific compliance guidance.

Published by Docket — The NIS2 Incident & Evidence Platform dockethq.app | patrick@dockethq.app

← Back to all articles