The Cyber Security Act (Cyberbeveiligingswet; Cbw) is expected to come into force in the second quarter of 2026. The aim of the Cbw is to strengthen the cyber obligations for entities in sectors of social or economic importance. The Cbw also contains provisions on supervision, enforcement and additional responsibilities for directors of so-called essential or important entities.

In this blog, we discuss the responsibilities of directors of so-called essential and important entities. We examine what the Cbw requires of directors, what knowledge and skills they must possess, and how they can divide their tasks with, for example, the Chief Information Security Officer (CISO).

The role and obligations of directors

The Cbw makes directors ultimately responsible for compliance with all Cbw obligations. Among other things, directors must ensure that the organisation is registered with the digital desk of the National Cyber Security Centre. In addition, directors maintain contact with supervisory authorities and Computer Security Incident Response Teams (CSIRTs) when significant incidents occur. The directors identify the relevant cyber risks, establish appropriate control measures, approve them and actively supervise their implementation.

Responsibility lies with the formal board or, in the case of a one-tier board, with the executive directors. In other legal forms, responsibility rests with the de facto directors. For government agencies, the minister, the mayor and aldermen or the executive committee are responsible.

Required knowledge and skills

Directors can only make decisions if they have sufficient knowledge of cyber security. They are therefore required to undergo regular training in cyber security. This training requirement enables them to understand risks, assess measures and their impact, and make informed decisions. From the date of entry into force of the Cbw, there will be a transition period of two years (or, in the case of new appointments, two years after taking office). After that, administrators must demonstrate that they are keeping their knowledge up to date, for example through training courses with certification.

Every director must have the knowledge and skills to:

• Identify risks to the security of network and information systems;
• Assess risk management measures; and
• Assess the consequences of the risks and risk management measures for the provision of services.

In practice, this means that directors must:

• Recognise and interpret typical threats and vulnerabilities. These include malware/ransomware, phishing, insider threats, supply chain risks, distributed denial of service attacks, misconfigurations and third-party dependencies;
• Have an understanding of the risk management process: how risks are identified, analysed, prioritised and addressed, how the risk register and reporting lines function, and what risk appetite and thresholds the organisation applies; and
• Be able to assess and prioritise risk management measures and weigh their impact against effectiveness, proportionality and costs.

The precise knowledge requirements may be further elaborated by order in council.

Specific administrative tasks

In addition to the requirements regarding knowledge and training, the Cbw also prescribes what directors must do in practice. The most important administrative tasks are:

1. Integrating cyber risk management

• Cyber security is a core component of the risk strategy.
• The board is ultimately responsible for an effective risk management process that is continuously monitored and improved.

2. Establishing and approving policy

• The board establishes and approves the information security policy.
• The policy covers preventive measures, incident response, training and supply chain security.

3. Incident management and reporting obligation

• The board ensures that there is a well-designed incident response procedure, including Operational Technology (OT) systems. A vulnerability in IT can have direct consequences for physical processes in OT. Directors must therefore ensure an integrated approach, in which incident response also includes OT scenarios and risks from both domains are managed in conjunction.
• Significant incidents are reported in a timely manner to regulators and CSIRTs.

The role of the CISO

Many organisations appoint a CISO to implement and interpret their cyber security policy. Appointing a CISO is not mandatory, but it is recommended for large organisations.

The board remains ultimately responsible for compliance with the Cbw, with the CISO providing support. For example, a CISO can:

• Advise: translate technical risks into strategic and operational impact;
• Coordinate: monitor the implementation and progress of measures; and
• Monitor: assess compliance with policy and report periodically.

Liability

Directors who fail to take sufficient responsibility for compliance with and implementation of the Cbw run the risk of being held civilly liable. In addition, supervisory authorities may take enforcement action against them.

Conclusion

The Cbw makes cyber resilience an important priority for directors. The new law brings with it many new obligations, responsibilities and risks for directors of essential and important entities. It is therefore important for directors to inform themselves and prepare in good time.

Would you like to know what obligations apply to you as a director and how you can protect your organisation and yourself legally? Please contact Bente van Kan, Machteld Robichon or Ole Oerlemans.

Want to know more about the Cbw? Read our other blogs:

• The Cyber Security Act: a new legal foundation for digital resilience
• The scope of the Cyber Security Act