The Cybersecurity Act: Step-by-step plan for what you want to have in place before 15 August
Please note: this article focuses on the Dutch implementation of the NIS2 Directive through the Cyberbeveiligingswet. For organisations in other countries, different laws, deadlines, supervisory authorities and reporting points may apply.
On 7 July 2026, the Senate approved the Cybersecurity Act (Cbw) and the Resilience of Critical Entities Act (Wwke). This means that the Dutch implementation of the European NIS2 Directive is officially a fact. Both laws will enter into force on 15 August 2026.
From that moment on, cybersecurity is no longer a non-binding choice for more than 8,000 organizations in the Netherlands, but a legal obligation. The impact extends beyond these organizations alone: thousands of suppliers in the supply chain are also affected.
In conversations with organizations, we notice that the law is often approached as a project with a deadline. Understandable, but that is exactly where the risk lies. A law is a lower limit, not an ambition. Those who work alone on the registration certificate in the coming weeks may make it to the date, but miss the mark: an organization that demonstrably protects its business operations.
That is why it is not only about what must be arranged before 15 August. It is mainly about how you use these obligations to structurally embed resilience. This is what should be on your agenda for the next few weeks. That doesn't start with technology, but with overview. What obligations apply to your organization, what risks are there and what do you need to work on in the coming weeks?
Step 1: determine whether and how the law applies to your organization
Organisations are responsible for checking whether they fall under the Cybersecurity Act. So there will be no letter from the government stating what applies to your organization. The law distinguishes between essential and important entities, with differences in supervision and possible sanctions. The NIS2 Quickscan of the central government gives an initial indication within a few minutes.
Don't just look at the direct obligations. Organizations that are not covered by the law themselves can also be affected by it through their customers. Organisations that do fall under the law must manage risks in their supply chain and will therefore impose stricter requirements on suppliers.
Those who can already show how information security is set up will soon have a different conversation with customers than organizations that have yet to figure it out.
Step 2: start with a risk analysis, not a list of measures
The duty of care is the core of the law. This requires appropriate measures based on your own risks, not ticking off a standard list. It starts with two questions that every organization should be able to answer, with or without legislation: what is most valuable to us and where are we vulnerable?
Therefore, first map out which processes, systems and data are most critical to your business operations. Then look at what measures you have already taken and where there are still gaps. The outcome is rarely that there is nothing. Most organizations have already arranged a lot, but cannot always show how those measures are related to their actual risks.
That is exactly where the discussion shifts: from policy to evidence. Discuss the results with the board and record what improvement measures will follow. Not as a paper exercise, but as proof of execution. Because that is what you will have to be able to fall back on later.
Step 3: Set up your reporting process before you need it
The obligation to report has strict deadlines under the NIS2 Directive. In the event of a significant incident, you must issue an early warning within 24 hours and a formal notification within 72 hours. If you still have to find out during an incident who is making the report, what exactly needs to be reported and what information is needed for this, you are actually already too late.
Therefore, make clear agreements in advance. Who determines whether an incident is significant? Who makes the report to the NCSC? And where does that person get the right information from? Test that process in practice, for example with a tabletop exercise in which management and IT sit down together.
A reporting process that only exists on paper does not help you when the pressure increases. It is precisely then that it must become clear whether agreements work. The obligation to report is essentially about transparency. Organizations that can quickly identify and report an incident show that their detection and response are in order. That is ultimately the real test.
Step 4: map out your chain, because it is now also part of your responsibility
The law makes organizations responsible for risk management in the supply chain. This confirms what practice has shown for some time: as an organization you are only as strong as the suppliers you rely on. Recent incidents in the Netherlands, in which attacks via suppliers affected large groups of organizations and citizens, make it clear that this is not a theoretical risk.
Therefore, start with an overview. Which suppliers are critical to your business operations? Who has access to your systems or data? And who are you operationally dependent on? Then look at what agreements are already in place about security, incident reporting and continuity.
Complete chain control will not be in place before 15 August. Nobody expects that either. However, you can expect yourself to know where the greatest dependencies are and that the conversation with those suppliers is planned.
Step 5: organize administrative knowledge and make it demonstrable
The law also requires something from administrators. They must have demonstrable knowledge of cybersecurity. This includes a training obligation, but also personal responsibility. The sanctions can amount to 10 million euros or 2 percent of the global annual turnover.
Yet this is more than a course that must be followed. Above all, managerial knowledge means that the management can ask the right questions. Which risks do we consciously accept? What risks do we transfer? And where should we invest?
Digital security should therefore be structurally on the agenda of the board table. Not as a technical catch-up moment, but as part of the management of the organization. The value of this obligation lies precisely there: management, supervision and technology will speak the same language.
In organizations where that conversation is already being held, we see that security investments are more in line with what really matters.
Step 6: prepare the registration with the NCSC
From an administrative point of view, the registration obligation is one of the most manageable obligations. Organisations that fall under the law must provide their details for the register of entities. In the Netherlands, this is done via the NCSC portal.
Don't take this step at the very front, but don't put it off in front of you either. The registration logically follows the determination from step 1: does your organization fall under the law, and if so, in what way? After that, registration is the moment when your organisation is formally included in the entity register and has access to the right support through the sectoral CSIRT.
Please note: registration is different from reporting. A separate reporting obligation applies to significant cyber incidents. This notification is made via the NCSC portal, so that your organisation does not have to report separately to both the sectoral CSIRT and the regulator.
Comply with the law, but focus on resilience
The temptation is great to turn these six steps into a project with August 15 as the end date. Understandable, but an attacker doesn't care much about your registration certificate.
The organizations that benefit most from this law are those that use the obligations to answer questions that have always mattered. Do we know our risks? Can we demonstrate how we manage this? And do we act because it is important or only when we have to?
If you want to know where the organization stands, you start with factual insight. A risk analysis shows what is really vulnerable, but also what is already well arranged. From there, the road to August 15 becomes clearer. More importantly, you lay a foundation for the years to come.
For organizations that want to know where they stand before a regulator or incident determines that for them, that insight is a logical first step.