The scope of the Cyber Security Act
Following the hack on the Public Prosecution Service, another major hack took place in the summer of 2025, this time on the Clinical Diagnostics medical laboratory. The hack resulted in the theft of the medical data of almost half a million women. Such organisations in the healthcare sector may fall within the scope of the upcoming Cybersecurity Act (“Cbw”).
In this blog, we will therefore zoom in on this scope and discuss which entities will soon have to comply with the Cbw.
Step 1: identifying essential and important entities
The Cbw implements the NIS2 Directive. The obligations in the NIS2 Directive apply to essential and important entities. These are entities that operate in sectors of particular social or economic importance, such as energy companies, data centres and hospitals. Entities that are considered essential or important in any case are listed in Annexes I and II to the NIS2 Directive.
The various sectors covered by the scope of the Cbw are listed in Annexes 1 and 2 to the Cbw. The annexes largely correspond to the annexes to the NIS2 Directive:
- Entities in the following sectors may qualify as essential entities (Annex 1 Cbw):
- Energy (electricity, gas, oil);
- Drinking water supply;
- Transport (aviation, rail, shipping, road transport);
- Healthcare (hospitals, laboratories, clinics);
- Digital infrastructure (cloud, data centres, internet hubs);
- Government organisations and public administration; and
- Financial sector (banks, market infrastructures, insurance companies).
- Entities in the following sectors may qualify as important entities (Annex 2 Cbw):
- Postal and courier services;
- Food production, processing and distribution;
- Chemical industry;
- Waste and wastewater management; and
- Digital platforms and marketplaces.
Step 2: determining the size of the organisation
Whether an entity falls under the Cbw depends not only on the sector, but also on the size of the organisation. The Cbw distinguishes between micro, small, medium-sized and large organisations:
| Category | Criteria | Application of the Cbw |
| Micro and small organisations | Fewer than 50 employees and annual turnover or balance sheet total ≤ £10 million | In principle outside the scope, unless: • Crucial role in a vital sector (e.g. sole provider) • Designated by a government department |
| Medium-sized organisations | 50–249 employees or• Annual turnover or balance sheet total ≤ £50 million | Always fall under the Cbw |
| Large organisations | ≥250 employees or• Annual turnover > £50 million or balance sheet total > £43 million | Always fall under the Cbw |
Step 3: does an exception or special provision apply?
Regardless of the type of sector or the size of the entity, the Cbw determines for some entities whether they still fall under the scope of the Cbw or not.
The following entities always qualify as essential entities:
- Government agencies, such as ministries, provinces, municipalities and water boards. However, government agencies that are primarily active in the field of national security, public safety, defence or law enforcement fall outside the scope of the Cbw. These include, for example, the Ministry of Defence, the MIVD, the AIVD, the police, the Public Prosecution Service and the security regions. These organisations are exempt because their digital security is already regulated by specific sectoral legislation, such as the Intelligence and Security Services Act, the Police Act and the Security Regions Act.
- Qualified trust service providers, such as Qualified Trust Service Providers, digital trust services that issue qualified digital certificates, for example;
- Providers of registries for top-level domain names;
- DNS service providers;
- Medium-sized and large providers of public electronic communications networks or services.
The following entities always qualify as important entities:
- Micro and small providers of public electronic communications networks or services; and
- Micro and small telecommunications providers. However, the Minister may also designate these entities as essential entities.
There is also a special arrangement for higher education institutions: these may be designated as essential or important entities by the Minister of Education, Culture and Science, regardless of their size.
Finally, the Cbw contains a link to the Critical Entities Resilience Act (Wwke). The Wwke regulates the physical security and resilience of vital organisations, such as energy and drinking water companies, against threats such as natural disasters, sabotage or terrorist attacks. Organisations designated as critical entities under the Wwke automatically qualify as essential entities under the Cbw. Designation is carried out by the minister responsible for the sector in question.
Essential or important entity? Distinction in supervision
It is important to determine whether an entity falls under the Cbw and whether it qualifies as essential or important. This not only determines whether the Cbw applies, but also has direct consequences for the supervisory regime.
Essential entities are subject to a stricter supervisory regime: supervisors will carry out structural proactive checks on these entities, for example by conducting audits. For important entities, supervision is lighter: here, the supervisor acts primarily reactively, when there are signs or indications that the rules are being violated.
Conclusion
The Cbw has a wide scope of application: from hospitals and laboratories to digital service providers and financial institutions. It is important for organisations to determine in good time whether they fall within the scope of the Cbw and whether they qualify as an essential or important entity.
Are you wondering whether your organisation falls within the scope of the Cbw? Please feel free to contact Bente van Kan, Machteld Robichon or Ole Oerlemans. Keep an eye on our website and read our other blogs, see for example: