What is the Wwke?
Wwke stands for the Dutch Wet weerbaarheid kritieke entiteiten (βCritical Entities Resilience Actβ) and is the national transposition of the European CER Directive (Critical Entities Resilience, EU 2022/2557). The law obliges designated organisations to demonstrate resilience against all relevant threats β including natural disasters, sabotage, terrorism and supplier failure.
The Wwke is the physical and organisational counterpart to the Dutch Cyber Security Act (which implements NIS2): where NIS2 governs cyber resilience, the Wwke addresses all forms of disruption to essential services.
π― Aim of the Wwke
- Safeguard the continuity of essential services to society
- Mandate risk-based measures against physical and hybrid threats
- Introduce mandatory reporting of significant disruptions
- Strengthen oversight via designated sector authorities
𧱠Who counts as a critical entity?
Critical entities are designated per sector based on the societal importance of their service. The Wwke covers, among others:
| Sector | Examples of services |
|---|---|
| Energy | Electricity, gas, oil, heat |
| Transport | Air, road, rail and water transport |
| Banking and financial market infrastructure | Payment services, exchanges |
| Healthcare | Hospitals, pharmaceutical supply chain |
| Drinking water and waste water | Production, distribution, treatment |
| Digital infrastructure | Internet exchanges, data centres, DNS |
| Government | Central executive agencies |
| Food | Production, storage and distribution |
An organisation qualifies as a critical entity once its failure would have significant societal consequences. Formal designation is made by the relevant minister.
π Obligations under the Wwke
Critical entities must:
- Conduct a Risk Assessment covering physical, hybrid and personnel-related threats
- Draw up a resilience plan combining technical and organisational measures
- Take measures for access control, personnel screening and protection of sensitive information
- Provide for Business Continuity and Continuity Management
- Report significant incidents to the competent authority
- Cooperate with supervision, audits and exercises
π Wwke versus the Cyber Security Act
Many organisations fall under both laws. The Wwke governs physical and organisational resilience; the Cyber Security Act governs digital resilience.
| Topic | Wwke / CER | Cyber Security Act / NIS2 |
|---|---|---|
| Type of resilience | Physical, hybrid, all-hazards | Cyber resilience |
| Scope | Designated critical entities | Essential + important entities |
| Designation | Per entity, by the minister | Based on sector and size |
| Central authority | Sector authorities + NCTV | RDI, sector authorities, NCSC |
An integrated approach across IT and OT avoids duplicated effort and aligns naturally with frameworks such as IEC 62443.
π Implications for IT and OT
The Wwke clearly affects industrial environments:
- Physical security of process plants, SCADA rooms and PLC cabinets
- Personnel resilience: screening of operators and maintenance partners
- Supplier dependency: protection against failure of critical suppliers
- Crisis response integrated with cyber processes via an Incident Response Plan and Crisis Communication Plan
- Alignment with IEC 62443 for the cyber component of the resilience plan
π In summary
The Wwke is the Dutch transposition of the European CER Directive and obliges critical entities to demonstrate a resilience strategy against all relevant threats. Together with the Cyber Security Act it forms the legal foundation for protecting Critical Infrastructure in the Netherlands.