The Cybersecurity Act (Cbw) will take effect on August 15, 2026, and is set to radically transform the Dutch cybersecurity sector. With this law, the Netherlands is turning the European NIS2 Directive into national legislation. Thousands of organizations will be required to systematically strengthen their cyber resilience. The message from the government is clear: waiting is not an option.
Everything you need to know: lessons we can learn from Belgium
For many organizations, the Cybersecurity Act raises a lot of questions.
- Who falls under the scope of the law?
- What exactly will change?
- And how can you prepare for this without getting bogged down in purely technical details?
Belgian organizations have a head start in this regard. Belgium implemented the NIS2 Directive as early as October 2024. That means that organizations there have already gained nearly two years of practical experience with these new requirements. At ACEN, we have closely followed this evolution and guided dozens of them through their implementation process. These lessons provide Dutch organisations with valuable insights as they begin their own NIS2 journey.
The Cybersecurity Act goes beyond a simple compliance requirement
The Cybersecurity Act is the Dutch implementation of the European NIS2 Directive. Its goal is clear: to increase the digital resilience of organizations and ensure that cyber incidents have less of an impact on society and the economy.
Previous legislation focused primarily on a limited group of critical organizations. The scope now is being significantly expanded. Medium-sized organizations in sectors such as healthcare, education, manufacturing, logistics, digital services, IT, and financial services may also fall directly under the law. In addition, many organizations that are not themselves subject to the guidelines will indirectly face stricter security requirements. Their customers, suppliers, and partners will have higher requirements and demands regarding cybersecurity.
The Cybersecurity Act is not solely about stricter regulations. Above all, it fosters a different way of thinking. Cybersecurity is shifting from a technical IT issue to a strategic component of business operations for every modern organization.
Governance is becoming as important as technology
When organizations begin preparing for the Cybersecurity Act, they often look into purchasing new security solutions and tools. That’s understandable, but in practice, technology rarely turns out to be the biggest challenge.
New tools alone often do not provide a solution. The first steps organizations need to take are to gain control and insight into their internal operations. That often starts with asking a few fundamental questions.
- Is it clear who is responsible for cybersecurity?
- Have the main risks been identified and documented?
- Are there processes in place to systematically monitor potential threats?
- Is there sufficient oversight of suppliers and external parties who have access to critical systems?
Our experience in Belgium has taught us that this is precisely where the greatest efforts are needed. Governance forms the foundation upon which all measures rest. Without clear responsibilities, processes, and risk management, it becomes extremely difficult to demonstrate that an organization has effective control over its systems.
Cybersecurity is becoming a management responsibility
One of the most significant changes brought about by the Cybersecurity Act is that cybersecurity can no longer be the sole responsibility of the IT department.
Executives will play an active role in managing cyber risks. Their task will be to gain an understanding of the risks their organization faces. In addition, they will need to make decisions regarding investments in appropriate security measures and ensure that the organization continues to comply with legal obligations.
This means that cybersecurity will appear on the agenda of executive and board meetings with increasing frequency. Organizations will need to better document decisions and periodically evaluate risks. Aditionally they will need to be able to demonstrate that security is an integral part of their business operations.
Identity Security as a fundamental building block
In virtually every NIS2 project, organizations eventually run into the same question: Who actually has access to which systems and data?
That may seem like a simple question, but in complex IT environments, the answer is often less obvious than expected. Employees change roles, external consultants are granted temporary access, applications grow and evolve over the years, and user permissions are rarely evaluated systematically.
That is precisely why Identity Security is becoming an increasingly important building block within NIS2. Solutions for Identity Governance & Administration (IGA) and Privileged Access Management (PAM) help organizations gain insight into all digital identities. Nest to centrally managing access rights, and detect anomalies more quickly. This not only enhances security but also makes demonstrating compliance significantly easier.
Compliance does not end with implementation
Perhaps the most important lesson we’ve learned in Belgium is that NIS2 isn’t a checklist you complete once and then sit back and relax. Projects don’t always have a clear end date or exact endpoint.
Many organizations start with a gap analysis, implement improvements, and then consider the process complete. In reality, that’s when the real challenge begins. The Cybersecurity Act requires a continuous approach in which risks are regularly assessed, access rights are periodically reviewed, vendors are actively monitored, and security measures are constantly adapted to new threats.
Cybersecurity is constantly evolving, often faster than legislation can keep up.
Organizations that treat compliance as an annual exercise run the risk of their security approach becoming outdated again in a short period of time.
Why Dutch organizations need to take action now
The Cybersecurity Act will take effect on August 15, 2026. Organizations that have yet to begin their preparations would be wise to take action quickly. Establishing governance, processes, and technical measures takes much more time than expected.
Moreover, the benefits extend beyond mere legal compliance. By investing today in better risk management, identity security, and continuous monitoring, organizations not only build stronger protection against cyber incidents but also gain greater insight into their digital landscape. They gain visibility into critical systems, dependencies, and vulnerabilities, making cybersecurity more manageable and targeted.
ACEN's experience makes all the difference
The Netherlands is now at the same point where Belgium was two years ago. The questions and challenges are largely the same, but Dutch organizations do not have to start from scratch.
At ACEN, we’ve been guiding organizations for years in the areas of Identity Security, governance, Managed Detection & Response, and Security Advisory. Since the implementation of NIS2 in Belgium, we’ve also leveraged that expertise to help organizations prepare for the new regulations. As a result, we know from real-world experience which approaches work, where projects often run into delays, and which steps have the greatest impact in the shortest amount of time.
Ultimately, the Cybersecurity Act isn’t just about checking off a checklist.
It offers organizations the opportunity to structurally strengthen their cyber resilience, gain more control over their digital environment, and be better prepared for future threats. Those who take that step today will not only meet legal obligations faster tomorrow but will also build a safer, more resilient, and more manageable organization.