The Dutch Cybersecurity Act is coming: what to arrange before 1 July

It took a long time, but now things are moving fast. On 15 April 2026 the Dutch House of Representatives passed the Cyberbeveiligingswet (Cybersecurity Act) — the Dutch implementation of the European NIS2 directive. In early June the Senate published its preliminary report, and if the Senate approves, the intended effective date is 1 July 2026. No more "that law will arrive someday": this is happening now, this month.

In this article we cover what the law entails, how to determine whether your organisation falls under it (the answer is "yes" more often than you might think) and the five measures you want in place regardless — law or no law.

We covered the basics of NIS2 — which sectors, which company sizes — in does your business fall under the NIS2 directive? This article focuses on the current status and practical preparation.

From European directive to Dutch law

NIS2 is a European directive and does not apply directly: each member state must transpose it into national legislation. That should have happened by 17 October 2024 — the Netherlands is over eighteen months late. That delay lulled many businesses to sleep: the obligations always seemed like something for later.

That postponement is now over. The bill has passed the House, sits with the Senate, and the government is steering towards entry into force around 1 July 2026. Businesses waiting for "final clarity" will have no preparation time left: the duty of care applies from day one.

Does it apply to you? The two questions to ask

Question 1: are you in a designated sector and large enough? The law applies to organisations in sectors such as healthcare, transport, energy, digital infrastructure, government, postal services, waste, food, chemicals and manufacturing — roughly from 50 employees or 10 million euro annual revenue. Larger organisations in critical sectors become "essential entities", the rest "important entities". The difference is mainly supervision: essential entities face proactive oversight, important entities are checked after the fact.

Question 2 — and this one is often missed: do you supply businesses that fall under it? The law obliges entities to manage the security of their *suppliers*. Are you a software vendor, installation company, logistics provider or accounting firm serving a hospital, energy company or food producer? Then the requirements get passed down to you — in supplier requirements, audits and contract annexes. Formally you are not covered; practically you are.

For healthcare there is an extra dimension: organisations already working with NEN 7510 (the Dutch standard for information security in healthcare) have a head start — the duty-of-care measures largely overlap.

What the law requires

The Cybersecurity Act has three core obligations:

• Duty of care — appropriate technical and organisational measures: risk management, incident handling, backups and recovery, supplier management, MFA, encryption and security awareness for staff. Management is personally responsible and must be demonstrably trained.
• Reporting duty — give early warning of serious incidents to the CSIRT within 24 hours, full report within 72 hours.
• Registration duty — register your organisation with the supervisory authority.

The fines are serious: up to 10 million euro or 2% of global annual revenue for essential entities. But honestly: the fine should not be the real motivation. The measures the law requires are the same ones that prevent a ransomware attack from shutting your business down for weeks.

The five measures to arrange now (law or no law)

In our practice, organisations that have these five in order already cover the bulk of the duty of care:

1. MFA on everything. Multi-factor authentication on email, workspace and all business applications. Still the measure that stops most attacks.
2. Backups you have actually tested. Daily, automated, and a restore test at least once a quarter. A backup you have never restored is an assumption, not a certainty.
3. A one-page incident plan. Who do you call, who decides, who communicates — reporting within 24 hours only works if those questions are answered in advance.
4. Visibility on your suppliers. Which parties can access your systems and data, and what agreements cover that?
5. Staff who recognise phishing. Awareness training and periodic phishing simulations — people remain the most attacked link.

If you work on a managed online workspace, the first two points are already part of the service: MFA, daily backups, monitoring and patching are included in the management. That is not full NIS2 compliance — the organisational side remains your job — but the technical foundation is in place.

How to start today

Do not start with a heavyweight compliance project; start by knowing where you stand. Take the NIS2 check to see whether and how the law affects your organisation, or request the free IT check — seven questions, and you receive a personal roadmap with the gaps to close before 1 July. Prefer to talk to a specialist directly? Schedule a consultation — no obligations, via Teams or by phone.

*Virtual Computing is ISO 27001 certified and works to NEN 7510 for healthcare clients. We apply the measures in this article daily in managing our own infrastructure and that of our customers.*