Agnes holding a calendar showing '1 Juli' — the Cyberbeveiligingswet enforcement date

The Dutch Cybersecurity Act (Cyberbeveiligingswet): Does It Apply to Your SMB?

NIS2, General

On July 1, 2026, the Dutch Cybersecurity Act (Cyberbeveiligingswet) is expected to take effect. It's the Netherlands' implementation of the European NIS2 directive. That's 65 days away. And if you're reading this, chances are you're wondering: does this law apply to me?

The short answer: maybe, and even if it doesn't, you'll probably feel its effects anyway. Here's how that works, without the legal jargon.

What is the Dutch Cybersecurity Act?

The Cyberbeveiligingswet is the Dutch version of NIS2, the European directive for network and information security. Where the GDPR focuses on personal data, the Cybersecurity Act focuses on securing your networks and information systems.

The European Union established NIS2. Every EU member state must translate that directive into national law. In the Netherlands, that becomes the Cyberbeveiligingswet. The substantive requirements are largely the same as NIS2, but the law specifically addresses how oversight and enforcement work within the Netherlands.

The expected effective date: July 1, 2026.

Who falls directly under the law?

The Cybersecurity Act distinguishes two categories of organizations: essential entities and important entities. Both have obligations. The difference is the intensity of oversight.

Sectors

The law applies to organizations in these sectors:

  • Energy (electricity, gas, oil, heating)
  • Transport (aviation, rail, water, road)
  • Financial infrastructure (banking, market infrastructure)
  • Healthcare (hospitals, labs, pharmaceuticals)
  • Drinking water and wastewater
  • Digital infrastructure (data centers, DNS, cloud, telecom)
  • ICT services (MSPs, MSSPs)
  • Public administration
  • Postal and courier services
  • Waste management
  • Chemicals and manufacturing (food, machinery, electronics, medical devices)
  • Space and research

Size thresholds

If you operate in one of those sectors, your size determines which category you fall into:

  • Important entity: 50+ employees OR more than 10 million euros annual revenue
  • Essential entity: 250+ employees OR more than 50 million euros annual revenue

Essential entities are proactively monitored by the regulator. Important entities are mainly checked after the fact, for example following an incident or complaint. But the actual requirements are largely the same for both categories.

The supply chain trap: why businesses outside scope still get affected

This is the part most SMBs miss. You think: I'm not in one of those sectors, or I have fewer than 50 employees, so I'm safe.

Not necessarily.

The Cybersecurity Act requires organizations that are in scope to secure their supply chain. In practice: if you provide a service to a hospital, energy company, IT service provider, or any other organization that falls under the law, that client can contractually require you to:

  • Have completed a risk analysis
  • Have an incident reporting procedure
  • Be able to demonstrate security measures
  • Train employees on cybersecurity

You don't formally fall under the law, but the requirements land on your desk through your clients anyway. This isn't a hypothetical scenario. Large organizations are already reviewing their supply chains. Read more about how this works in supplier management under NIS2.

Decision tree: does your business fall under the Dutch Cybersecurity Act?

Walk through these four questions:

1. Do you operate in one of the listed sectors? Yes: go to question 2. No: go to question 4.

2. Do you have 50+ employees OR more than 10 million euros annual revenue? Yes: you are likely an important entity. Go to question 3. No: you don't fall directly under the law, but go to question 4.

3. Do you have 250+ employees OR more than 50 million euros annual revenue? Yes: you are likely an essential entity. No: you remain an important entity.

4. Do you supply products or services to organizations that fall under the law? Yes: you are indirectly in scope through the supply chain. Prepare for contractual requirements. No: the law doesn't formally apply to you, but the security measures are smart to have regardless.

What you need to have in place (law or no law)

Whether you fall directly under the law or get pulled in through the supply chain: the Cybersecurity Act is about demonstrable security. Not promises, but evidence.

These are the four things you need to have sorted at minimum:

1. Supplier inventory

Which external parties have access to your systems or data? Think about your hosting provider, software vendors, IT manager, cloud tools. Map them out, classify them by risk, and check whether contracts include security requirements.

2. Risk analysis

Where are you vulnerable? Which systems are critical to your operations? What happens if they go down for 24 hours? Without a risk analysis, you don't know where to focus your security measures.

3. Incident reporting procedure

The Cybersecurity Act requires you to report serious incidents to the regulator within 24 hours, followed by a full report within 72 hours. You need a playbook: who takes the lead, what are the steps, who gets informed?

4. Documented measures

Everything you do must be demonstrable. That means: policy documents, registers of suppliers and processing activities, logs of measures and training, and version history showing your documents are current.

Want to know how to get started with all of this? Read NIS2 for SMBs: where do you start?.

65 days: what can you still do?

Time is tight, but you can still get a lot done. Focus on the basics:

Week 1-2: Create an overview of your suppliers and the systems they have access to. This is often the fastest way to get a handle on your attack surface.

Week 3-4: Run a risk analysis. Inventory your critical systems, identify threats, and assess the impact.

Week 5-8: Draft an incident reporting procedure and document your security measures. Make sure you can show what you're doing and why.

Perfection isn't the goal. The regulator wants to see that you're working on it and can demonstrate what you've done.

How ComplianceHive helps

ComplianceHive brings your supplier management, software inventory, risk analysis, and documentation together in one place. No spreadsheets disappearing in a shared folder. No loose documents nobody can find.

You build a complete overview of your suppliers, assess them by risk, record your measures, and always have an up-to-date dossier ready. Whether you fall directly under the Cybersecurity Act or you're preparing for requirements from your clients.

See how ComplianceHive supports your NIS2 preparation and get your basics sorted before July.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free