The hack on the Public Prosecution Service in June 2025 once again demonstrates how vulnerable socially important organisations are to cyber attacks. Such an incident therefore emphasises once more the need for these organisations to properly organise and secure their information provision.

This need is addressed by the revised Network and Information Security Directive (EU 2022/2555; “NIS2 Directive”). The NIS2 Directive obliges Member States to adopt national legislation that guarantees a high level of cybersecurity for entities in essential and important sectors. In the Netherlands, the NIS2 Directive is being implemented in the Cybersecurity Act. The proposal for this new act was submitted to the House of Representatives on 2 June 2025.

The purpose of the Cybersecurity Act is to strengthen the obligations for entities in sectors of social or economic importance. In addition, the Act enshrines administrative responsibility and regulates supervision, enforcement and cooperation with so-called Computer Security Incident Response Teams (CSIRTs). These are specialised teams responsible for detecting, analysing, mitigating and resolving security incidents. The Cyber Security Act replaces the current Network and Information Systems Security Act.

The Cyber Security Act is expected to come into force in early 2026. The national government advises not to wait until the new Act comes into force. After all, the risks to organisations and systems already exist today. Want to take action now and prepare for the Cyber Security Act? We outline the most important obligations below.

Scope of the Cyber Security Act

The Cyber Security Act applies to essential and important entities. These are entities that operate in sectors of particular social or economic importance. Examples of essential and/or important entities include:

• Energy companies;
• Hospitals and healthcare institutions;
• Drinking water suppliers;
• Cloud and data centre services;
• Digital service providers;
• Financial institutions; and
• Government organisations.

Main obligations under the Cybersecurity Act

The Cybersecurity Act has three main obligations, which are based on the NIS2 Directive:

1. Duty of care (Article 21 of the Cybersecurity Act; Article 21 of the NIS2 Directive)

Essential and/or important entities must take appropriate measures to mitigate cyber risks. The Cybersecurity Act lists minimum measures and provides scope for sector-specific implementation through general administrative measures or ministerial regulations (Article 21(1)-(5)).

1. Notification obligation (Article 25 et seq. of the Cybersecurity Act; Article 23 of the NIS2 Directive)

Significant incidents must be reported to a CSIRT and the competent authority (varies per sector and type of entity). The reporting takes place in phases: first, a warning is submitted, possibly followed by an interim update, and finally a final report is produced.

1. Administrative responsibility (Article 24 of the Cybersecurity Act; Article 20 of the NIS2 Directive)

Managers of essential and/or important entities are given explicit tasks: they must establish cybersecurity policies, monitor their implementation, and undergo further training in the field of cybersecurity and risk management.

The first main obligation, the duty of care, comprises ten minimum measures that organisations must take to protect their network and information systems. These measures form the core of the duty of care and are essential for structurally safeguarding the digital resilience of organisations. In short, entities must:

1. Draw up, maintain and periodically evaluate policies for the management of digital risks and the security of the information system.
2. Implement security aspects for personnel, access policy and asset management.
3. Establish procedures for business continuity, incident recovery and crisis management.
4. Implement policies and procedures for the detection, reporting and handling of cyber incidents.
5. Provide basic cyber hygiene and awareness training and education to employees.
6. Security in the acquisition, development and maintenance of network and information systems.
7. Establish and implement measures relating to supply chain security and supplier relationships.
8. Drawing up policies for the use of cryptography and encryption (key management).
9. Drawing up policies for access management and access control, whereby access to systems and data is restricted to authorised persons, for example through the use of multi-factor authentication.
10. Draw up policies and procedures to assess the effectiveness of the measures taken and to review them regularly.

Preparing for the Cyber Security Act

In preparation for the ten measures, organisations are advised to do the following now:

• Check whether they fall under the definition of an essential or important entity, and thus within the scope of the Cybersecurity Act;
• Start drafting or updating their cybersecurity policy;
• Join a CSIRT; and
• Prepare internally for reporting procedures and audits.

Although the Cybersecurity Act has not yet entered into force, essential and important entities can already register with a CSIRT. For digital service providers, there is the CSIRT-DSP, for healthcare institutions there is Z-CERT, and for other sectors there is the National Cyber Security Centre (NCSC).

Registration with a CSIRT provides access to:

• Incident response, which helps to limit the impact of a cyber incident, analyse the cause, prevent further damage and restore affected systems;
• Early warnings about current threat information and cyber threats, such as new malware variants, phishing campaigns, and vulnerabilities in software or systems; and
• Technical analysis and support in the event of suspicious or harmful cyber incidents.

The Cyber Security Act introduces a number of new obligations. We will keep you informed of developments via this website.

Do you have any questions about how the Cyber Security Act will apply to your organisation, or would you like to take preparatory measures? Please feel free to contact Bente van Kan, Machteld Robichon or Ole Oerlemans.