Cybersecurity Act

What is the Cybersecurity Act (Cyberbeveiligingswet)?

The Cyberbeveiligingswet is the Dutch implementation of the European NIS2 directive (Network and Information Security Directive 2). The Act requires organisations in essential and important sectors to strengthen their digital resilience by taking appropriate Security measures and by reporting serious cyber incidents.

🎯 Purpose of the Cybersecurity Act

• National implementation of the European NIS2 directive
• Increasing the cyber resilience of vital and important sectors
• Imposing uniform security requirements across both IT and OT systems
• Faster and better incident detection, reporting and handling

🧱 Who does the Act apply to?

The Act applies to organisations covered by NIS2:

As a rule: organisations with more than 50 employees or annual turnover above €10 million fall within scope.

📋 What are the obligations?

Organisations must, among other things:

• Establish an Information Security Management System (ISMS)
• Carry out risk analyses and take appropriate technical and organisational measures (e.g. Firewall, IDS, SIEM)
• Report cyber incidents within 24 hours to the national CSIRT or the supervisory authority
• Manage supply chain risks
• Allocate sufficient knowledge and resources to Cybersecurity
• Conduct regular audits, reviews and evaluations

🔐 Relevance for OT and industry

The Cybersecurity Act is also relevant for:

• SCADA systems, PLCs and Historians in critical processes
• Network security via the zones and conduits model and Defense in Depth
• Use of standards such as IEC 62443 and ISO 27001
• Monitoring of OT traffic with specialist systems

📌 In summary

The Cybersecurity Act is the national legislation through which the Netherlands implements the NIS2 directive. IT requires companies in vital sectors to organise Cybersecurity structurally, report incidents and secure their digital supply chain.