Go to content
We are the #1 Microsoft partner
#1 Microsoft partner of NL
Console Courses Working at (NL)

The Cybersecurity Act: Step-by-step plan for what you want to have in place before 15 August

This article is automatically translated using Azure Cognitive Services, if you find mistakes, please get in touch

Please note: this article focuses on the Dutch implementation of the NIS2 Directive through the Cyberbeveiligingswet. For organisations in other countries, different laws, deadlines, supervisory authorities and reporting points may apply.


On 7 July 2026, the Senate approved the Cybersecurity Act (Cbw) and the Resilience of Critical Entities Act (Wwke). This means that the Dutch implementation of the European NIS2 Directive is officially a fact. Both laws will enter into force on 15 August 2026.

From that moment on, cybersecurity is no longer a non-binding choice for more than 8,000 organizations in the Netherlands, but a legal obligation. The impact extends beyond these organizations alone: thousands of suppliers in the supply chain are also affected.

In conversations with organizations, we notice that the law is often approached as a project with a deadline. Understandable, but that is exactly where the risk lies. A law is a lower limit, not an ambition. Those who work alone on the registration certificate in the coming weeks may make it to the date, but miss the mark: an organization that demonstrably protects its business operations.

That is why it is not only about what must be arranged before 15 August. It is mainly about how you use these obligations to structurally embed resilience. This is what should be on your agenda for the next few weeks. That doesn't start with technology, but with overview. What obligations apply to your organization, what risks are there and what do you need to work on in the coming weeks?

Step 1: determine whether and how the law applies to your organization

Organisations are responsible for checking whether they fall under the Cybersecurity Act. So there will be no letter from the government stating what applies to your organization. The law distinguishes between essential and important entities, with differences in supervision and possible sanctions. The NIS2 Quickscan of the central government gives an initial indication within a few minutes.

Don't just look at the direct obligations. Organizations that are not covered by the law themselves can also be affected by it through their customers. Organisations that do fall under the law must manage risks in their supply chain and will therefore impose stricter requirements on suppliers.

Those who can already show how information security is set up will soon have a different conversation with customers than organizations that have yet to figure it out.

Step 2: start with a risk analysis, not a list of measures

The duty of care is the core of the law. This requires appropriate measures based on your own risks, not ticking off a standard list. It starts with two questions that every organization should be able to answer, with or without legislation: what is most valuable to us and where are we vulnerable?

Therefore, first map out which processes, systems and data are most critical to your business operations. Then look at what measures you have already taken and where there are still gaps. The outcome is rarely that there is nothing. Most organizations have already arranged a lot, but cannot always show how those measures are related to their actual risks.

That is exactly where the discussion shifts: from policy to evidence. Discuss the results with the board and record what improvement measures will follow. Not as a paper exercise, but as proof of execution. Because that is what you will have to be able to fall back on later.

Step 3: Set up your reporting process before you need it

The obligation to report has strict deadlines under the NIS2 Directive. In the event of a significant incident, you must issue an early warning within 24 hours and a formal notification within 72 hours. If you still have to find out during an incident who is making the report, what exactly needs to be reported and what information is needed for this, you are actually already too late.

Therefore, make clear agreements in advance. Who determines whether an incident is significant? Who makes the report to the NCSC? And where does that person get the right information from? Test that process in practice, for example with a tabletop exercise in which management and IT sit down together.

A reporting process that only exists on paper does not help you when the pressure increases. It is precisely then that it must become clear whether agreements work. The obligation to report is essentially about transparency. Organizations that can quickly identify and report an incident show that their detection and response are in order. That is ultimately the real test.

Step 4: map out your chain, because it is now also part of your responsibility

The law makes organizations responsible for risk management in the supply chain. This confirms what practice has shown for some time: as an organization you are only as strong as the suppliers you rely on. Recent incidents in the Netherlands, in which attacks via suppliers affected large groups of organizations and citizens, make it clear that this is not a theoretical risk.

Therefore, start with an overview. Which suppliers are critical to your business operations? Who has access to your systems or data? And who are you operationally dependent on? Then look at what agreements are already in place about security, incident reporting and continuity.

Complete chain control will not be in place before 15 August. Nobody expects that either. However, you can expect yourself to know where the greatest dependencies are and that the conversation with those suppliers is planned.

Step 5: organize administrative knowledge and make it demonstrable

The law also requires something from administrators. They must have demonstrable knowledge of cybersecurity. This includes a training obligation, but also personal responsibility. The sanctions can amount to 10 million euros or 2 percent of the global annual turnover.

Yet this is more than a course that must be followed. Above all, managerial knowledge means that the management can ask the right questions. Which risks do we consciously accept? What risks do we transfer? And where should we invest?

Digital security should therefore be structurally on the agenda of the board table. Not as a technical catch-up moment, but as part of the management of the organization. The value of this obligation lies precisely there: management, supervision and technology will speak the same language.

In organizations where that conversation is already being held, we see that security investments are more in line with what really matters.

Step 6: prepare the registration with the NCSC

From an administrative point of view, the registration obligation is one of the most manageable obligations. Organisations that fall under the law must provide their details for the register of entities. In the Netherlands, this is done via the NCSC portal.

Don't take this step at the very front, but don't put it off in front of you either. The registration logically follows the determination from step 1: does your organization fall under the law, and if so, in what way? After that, registration is the moment when your organisation is formally included in the entity register and has access to the right support through the sectoral CSIRT.

Please note: registration is different from reporting. A separate reporting obligation applies to significant cyber incidents. This notification is made via the NCSC portal, so that your organisation does not have to report separately to both the sectoral CSIRT and the regulator.

Comply with the law, but focus on resilience

The temptation is great to turn these six steps into a project with August 15 as the end date. Understandable, but an attacker doesn't care much about your registration certificate.

The organizations that benefit most from this law are those that use the obligations to answer questions that have always mattered. Do we know our risks? Can we demonstrate how we manage this? And do we act because it is important or only when we have to?

If you want to know where the organization stands, you start with factual insight. A risk analysis shows what is really vulnerable, but also what is already well arranged. From there, the road to August 15 becomes clearer. More importantly, you lay a foundation for the years to come.

For organizations that want to know where they stand before a regulator or incident determines that for them, that insight is a logical first step.

Cybersecurity Act

Know where you stand before August 15

The Cybersecurity Act requires more than just registration. Do you want to know which risks, obligations and areas for improvement are now priorities for your organization? Our security specialists help you to get a quick overview and take the right steps towards structural resilience.

Frequently Asked Questions about the Cybersecurity Act

Our author

Gitte Thijssen

Gitte Thijssen is a Campaign Marketer at Wortell. In this role, she translates complex topics around cloud, security, and AI into clear campaigns and content that help organizations navigate their digital and AI-driven transformation.

Gitte works closely with specialists and customers to connect strategic propositions with relevant, meaningful stories. With a strong focus on audience, timing, and impact, she ensures that insights on AI, organizational design, and technology are not only shared, but truly resonate with decision-makers. Her focus is on creating campaigns that inform, inspire, and help organizations take well-considered steps toward a future-ready IT and AI strategy.