NIS2

Cybersecurity Act effective August 15, 2026: what you need to know

Certificering
Implementation
Information Security
ISO 27001

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

It is official: the Cybersecurity Act is moving forward. The Senate approved it on July 7, meaning the law will take effect on August 15, 2026. No more speculation about potential delays or downplaying the impact. The law is here, and for many organizations in the Netherlands, things will truly change starting on that date. In this article, we explain exactly what the Cybersecurity Act entails, who it applies to, and what steps you can take now.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

This article was last updated on
09.07.2026
Written by
Henry
Dwars
Account Executive

What exactly is the Cybersecurity Act?

The Cybersecurity Act is the Dutch implementation of the European NIS2 Directive. It replaces the current Network and Information Systems Security Act (Wbni) and imposes stricter cybersecurity requirements on organizations across 18 different sectors. Think of energy, drinking water, digital infrastructure, healthcare, government, and transport.

 

Starting August 15, 2026, new obligations will apply to approximately 10,000 organizations in the Netherlands. And that is just the tip of the iceberg, as the law also has a ripple effect throughout the supply chain. Are you a supplier to an organization covered by the law? Then you will still have to deal with it through your client. This is expected to affect tens of thousands of suppliers.

No transition period

This is perhaps the most important thing to remember: there is no transition period. As of August 15, you must be in full compliance with the law. Not in six months, not "when you have time." Immediately.

 

For organizations covered by the law, this means, among other things:

 

  • Registration requirement. You must register in the entity register of the National Cyber Security Centre (NCSC). This is mandatory as of August 15.
  • Duty of care. You must take appropriate measures to manage the risks to your network and information systems.
  • Reporting obligation. You must report significant cyber incidents.
  • Management accountability. The board is explicitly responsible for managing cyber risks and must possess sufficient knowledge to do so.

Three common misconceptions

1. "The law probably won't go through anyway."

That is outdated. The law has been passed, the content has not been watered down, and the effective date is set.

2. "This doesn't apply to us."

Even if you aren't directly covered by the law, you may still be affected through your supply chain. Large clients who are subject to the law will ask their suppliers to demonstrate that they also operate securely. If you cannot do so, there will be consequences.

3. "There won't be much oversight."

Also untrue. There are ten authorized regulators that will monitor and enforce compliance both proactively and reactively. Inspections will take place, and you must be able to demonstrate that you have taken appropriate measures.

How do you show that you are compliant?

There is no such thing as an official "NIS2 certificate." The law itself does not prescribe a specific quality mark. However, that does not mean there is nothing you can do to demonstrate that you have your affairs in order. There are a few routes that work well in practice:

 

  • The NIS2 Supply Chain quality mark. This independent label has three levels (SC10, SC20, and SC30), tailored to your risk profile and the role you play in the supply chain. Especially for suppliers who need to demonstrate that they work securely, this is a manageable route.
  • ISO 27001. Do you already have this certification? Then you are already well on your way. Large parts of your existing management system count toward compliance, making the path to demonstrable NIS2 compliance much faster.
  • Sector-specific standards. If you work in healthcare, then NEN 7510 is relevant. If you work in the public sector, then the BIO a role. The content of these standards aligns well with the requirements of the Cyber Security Act.

{{LINKCARD}}

What can you do right now?

Waiting until August 15th is not an option; there is simply too much work to be done. Here are a few things you can start on today:

  1. Determine whether your organization falls directly under the law or if you will be affected through your supply chain.
  2. Prepare your NCSC registration. This takes more time than you might think.
  3. Map out where you currently stand in relation to the requirements, for example by conducting a gap analysis.
  4. Determine which route (NIS2 Supply Chain, ISO 27001, or a combination) best suits your organization.

Need help determining your route?

The Cyber Security Act is new to everyone, and no two organizations start from the same position. At Fendix, we help companies every day to make these types of processes manageable, from an initial gap analysis to full guidance toward demonstrable compliance.

 

Would you like to know where your organization stands and which steps make the most sense for you? Schedule a no-obligation, free consultation with us; we are happy to think along with you without any strings attached.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

How many people participate?

Request now

Thanks!
Oops! The form could not be submitted. Please try again.

More resources

Implementation

Supplier Management within ISO 27001: How to Comply with the Annex A Requirement

thru
Mathijs
Kennisartikel
Join our team

Employee Spotlight: Jurre combines consultancy with content creation

thru
Ruben
Blog
Legislation

When does NIS2 take effect? Deadlines & legislation explained

thru
Mathijs
Kennisartikel