Go to content
We are the #1 Microsoft partner
#1 Microsoft partner of NL
Console Courses Working at (NL)

Can you demonstrate that your partners have their security in order?

This article is automatically translated using Azure Cognitive Services, if you find mistakes, please get in touch

Please note: This article describes how Wortell is preparing for the Dutch Cybersecurity Act and what this means for customers and supply chain partners. Organisations in other countries may be subject to different laws, obligations, supervisory authorities and incident reporting procedures.

On August 15, 2026, the Cybersecurity Act will enter into force. From that moment on, the requirements for digital security and resilience, administrative responsibility, incident reporting and chain risks will become more concrete for organisations that fall under the law. The law not only sets requirements for the digital security and resilience of your own organization. The security and business continuity of partners and suppliers in your digital chain are also becoming more important.

As an organization, you must have insight into the risks that arise from dependencies in that chain. In addition, you must be able to substantiate better and better that important suppliers have their information security, business continuity and incident response in order.

This raises a logical question: what can you expect from Wortell in this area?

In recent years, Wortell has made targeted investments in digital security and resilience and in the further professionalization of governance, risk and compliance. As a result, many of the measures required by the Cybersecurity Act were already part of our daily working methods. The new legislation mainly places extra emphasis on structurally recording, testing and making this demonstrable.

In this blog, we will take you through the way in which Wortell is preparing for the Cybersecurity Act and how we deal with our responsibility as a partner and supplier in the chain.

Why vendor security is becoming so important

Organizations are increasingly working within a digital ecosystem of IT service providers, cloud platforms, software suppliers and other specialized partners. This cooperation offers many advantages, but also requires clear agreements about information security, business continuity and responsibilities.

The Cybersecurity Act therefore places more emphasis on insight into the entire chain. Organizations need to know which parties play an important role in their services, what dependencies arise and how risks are jointly managed.

The Cybersecurity Act therefore asks organizations to look beyond their own environment. Supply chain risks should be included in the broader risk analysis and mitigated where necessary. That doesn't mean you have to check every technical detail of every supplier yourself. You must be able to explain how you select suppliers, what requirements you set for them and how you determine that important measures are actually implemented. Certifications, audit reports, agreements on incidents and business continuity and periodic reviews can help with this.

Wortell itself is subject to the Cybersecurity Act

Wortell qualifies as an organisation to which the obligations under the Cybersecurity Act apply. So we not only have to help our customers with digital security and resilience, but also demonstrably meet the requirements of the law ourselves. The preparations for this are included in our Integrated Management System, IMS for short. Within this system, we bring together laws and regulations, standards frameworks, risks, control measures and improvement actions.

As a result, we do not treat the Cybersecurity Act as a separate project with a one-off deadline. The requirements are part of our existing processes for governance, information security, business continuity, risk management and compliance. For customers, this means that the measures are not only described in policy documents. They are also structurally tested, monitored and improved where necessary.

Demonstrable governance and risk management

The Cybersecurity Act explicitly calls for attention to be paid to administrative responsibility and risk management. Within Wortell, we have therefore further strengthened our compliance and audit function. The Wortell Assurance Controls, our internal control measures, are linked to relevant standards and legal frameworks. Think of ISO 27001, NEN 7510, SOC 2-TSP, NIS2 and the Dutch Cybersecurity Act. Risk analyses, internal audits, management reviews and improvement measures are recorded and followed up within the IMS. With this, we not only check whether processes have been set up, but also whether they work in practice.

For customers, this provides more insight into the way in which Wortell manages risks. It also helps with questions from internal auditors, customers, chain partners or regulators about the reliability of important suppliers.

Business continuity of critical services

A cyber incident can not only affect the confidentiality and integrity of information. The availability of services may also come under pressure. That is why business continuity is an important part of our preparation for the Cybersecurity Act.

Wortell has set up a complete Business Continuity Management System, which is integrated within the IMS and certified according to ISO 22301. This international standard focuses on preparing organizations for disruptions and ensuring the business continuity of critical processes. Within the Business Continuity Management System, risk analyses, business impact analyses, emergency procedures and recovery plans have been recorded. We map out which processes and services are critical, which dependencies play a role in this and which steps are needed to restore the service in the event of a disruption.

For customers, this means that business continuity doesn't just depend on ad hoc decisions when something goes wrong. The responsibilities, procedures and recovery steps have been thought through and recorded in advance. 

Prepared for significant security incidents

The Cybersecurity Act introduces clear reporting obligations for significant incidents. To do this, an organization must be able to quickly recognize, assess and escalate incidents internally.

Procedures have been set up within Wortell for the handling of significant security incidents. These procedures describe, among other things, how a potential incident is detected and assessed, who is responsible for escalation and decision-making, and how the impact on customers and services is determined. It also specifies when customers and other parties involved are informed and when a notification to a competent authority is required.

These steps align with our broader incident management and business continuity processes. An important starting point is that communication during an incident is not separate from the technical response. Customers need to know in good time when a situation may affect their organization, so that they can also initiate their own crisis and reporting processes.

Information security in daily practice

Wortell's technical and organizational security measures are based on internationally recognized standards and assurance frameworks, including ISO 27001, NEN 7510 and SOC 2-TSP. These measures focus on logging, monitoring and detection of deviant behaviour, among other things. We also pay attention to careful access management based on the principle of least privilege.

Employees only get access to information and systems that they need for their work. For elevated and administrative privileges, we use additional controls, including Privileged Identity Management.

In addition, processes have been set up for change management, vulnerabilities and incident management. With compliance monitoring and periodic evidence, we record that security measures are not only described, but are actually implemented and checked. We use the results to further improve measures where necessary.

Security of our own supply chain

As an IT partner, we are also dependent on suppliers. Think of technology partners, software suppliers, hosting parties and other service providers who are involved in our business operations or customer services.

The Cybersecurity Act therefore not only requires us to secure our own organization. We also need to have insight into risks further down the chain.

Wortell assesses suppliers on relevant topics such as information security, privacy and business continuity. In doing so, we look at the nature of the service, access to data and systems, the possible impact of outages and the presence of appropriate control measures.

Risks and dependencies are identified and classified. The more critical the supplier or service, the heavier the assessment and monitoring can be. In this way, we limit the risk that vulnerabilities at an external party will unnoticeably affect our own services and thus our customers' organizations.

Employees and management remain part of the approach

Digital security and resilience are never exclusively technical topics. Many security incidents have to do with human actions, unclear responsibilities or not recognizing a threat in time.

That is why Wortell structurally invests in security awareness and training. Employees periodically attend training courses on information security, privacy and compliance. In doing so, we pay attention to current cyber threats, working safely, reporting suspicious situations and the steps required in the event of an incident.

Management and board also have a responsibility in this. The Cybersecurity Act explicitly makes digital security and resilience administrative topics. Decision-makers must have sufficient knowledge to understand risks, assess measures and take responsibility for the choices made.

From measures to demonstrable control

For many organizations, the biggest change is not that information security and business continuity suddenly become important. They already were. The change is mainly in the extent to which you must be able to show that measures are structurally designed and actually function.

A policy document, a certificate or a technical solution can be part of that substantiation, but is not sufficient on its own. It concerns the whole of risk analyses, processes, responsibilities, controls, training, audits and improvement actions.

Therefore, we do not see the Cybersecurity Act as a checklist that can be completed at a certain time. It is an ongoing process in which new threats, changes in the organization and developments within the chain must be taken into account again and again.

What does our approach mean for you as a customer?

As a customer, you want to be able to trust that an important partner handles your data, systems and services with care. Under the Cybersecurity Act, it will also become more important to be able to substantiate that trust. Our approach helps in various ways.

By working on the basis of recognised standards and certified management systems, a verifiable basis is created. By structurally testing and recording measures, we can provide insight into the way in which risks are managed.

Our business continuity and incident response processes also support business continuity and timely communication when an incident may impact customers.

We also look beyond our own organization. By assessing risks at our suppliers, we take responsibility for the part of the chain that we can influence.

This does not take over your own responsibility under the Cybersecurity Act. It does help you to better substantiate your supplier and chain risks.

Demonstrably prepared as a partner in the chain

With this combination of governance, certified continuity management, information security, supplier management and structural training, Wortell works on demonstrable digital security and resilience.

In this way, we not only guarantee our own preparation for the Cybersecurity Act, but above all the business continuity, safety and reliability of our services to customers and chain partners.

FAQ

Frequently Asked Questions

Curious about the challenges other organizations face and the questions they have about this topic?

What can you arrange yourself before 15 August 2026?

Because the law will enter into force on 15 August 2026, it is important to check now which obligations apply to your organisation and which parts still need attention. In our practical step-by-step plan, you can read what you can arrange before that date, from registration and risk analysis to incident response and chain responsibility.

View the practical roadmap for the Cybersecurity Act

Do you also know whether your crisis approach works in practice?

Policies, procedures and responsibilities on paper form an important basis. However, the Cybersecurity Act also requires organizations to be demonstrably prepared for significant cyber incidents.

With a Cybersecurity Tabletop, you test how decision-making, escalation, communication and collaboration within your organization proceed on the basis of a realistic scenario. This makes it clear whether the crisis organization is functioning in practice and where there are still areas for improvement. At the same time, the exercise provides board and management with insight into risks and helps to give substance to the increasing accountability. That is why we are temporarily making our Cybersecurity Tabletop available for free.

Request the free Cybersecurity Tabletop

Frequently asked questions about Wortell and the Cybersecurity Act


When will the Cybersecurity Act come into force?

The Cybersecurity Act will enter into force on 15 August 2026. From that moment on, the legal obligations apply to organizations that fall under the law, including requirements around risk management, incident reporting, administrative responsibility and security of the supply chain.

Does Wortell itself fall under the Cybersecurity Act?

Yes. Wortell qualifies as an organisation to which the obligations under the Cybersecurity Act apply. The requirements of the law have therefore been included in our Integrated Management System and are structurally linked to our processes for governance, information security, risk management and business continuity.

What certifications and assurance reports does Wortell have for information security and business continuity?

Wortell works with certified management systems and relevant assurance and standards frameworks, including ISO 27001 for information security, NEN 7510 for information security in healthcare, SOC 2-TSP and ISO 22301 for Business Continuity Management.

Certifications are an important part of our demonstrable control, together with risk analyses, audits, controls and improvement measures.

How does Wortell help customers with their supply chain responsibility?

Wortell can provide insight into the way in which information security, business continuity, incident management and supplier risks are managed within the organization.

This allows customers to better substantiate that they are working with a partner who has set up appropriate measures. Customers remain responsible for their own total supplier assessment and risk analysis.

How does Wortell deal with security incidents?

Wortell has set up procedures for detection, assessment, escalation, communication and follow-up of security incidents.

In the event of a significant incident, it is also assessed whether customers or authorized authorities should be informed. These processes are linked to our incident management and Business Continuity Management System.

How does Wortell guarantee business continuity?

Our certified Business Continuity Management System includes business impact analyses, emergency procedures and recovery plans.

This allows us to map out critical processes, dependencies and recovery steps and prepare for situations in which normal service provision is disrupted.

Does Wortell also assess the security of its own suppliers?

Yes. Suppliers are assessed depending on their role and risk on topics such as information security, privacy and business continuity.

Critical dependencies and risks are identified, classified and monitored. In doing so, we not only look at our own organization, but also at risks further down the chain.

Is compliance with ISO 27001 sufficient for the Cybersecurity Act?

ISO 27001 provides a strong foundation for information security, but certification does not automatically mean that all obligations under the Cybersecurity Act are met.

The Act also contains requirements regarding administrative responsibility, incident reports, business continuity, chain risks and training.

Why is a Cybersecurity Tabletop relevant to the Cybersecurity Act?

A Tabletop makes it visible whether a crisis organization is functioning in practice. During an incident scenario, roles, decision-making, communication, escalation and collaboration are tested.

The results provide board and management with insight into risks and areas for improvement and help to demonstrate that the organization is preparing for significant cyber incidents.

Where can I read what my organisation needs to arrange before 15 August 2026?

In our practical step-by-step plan, you will find the most important preparations for the Cybersecurity Act. The step-by-step plan deals with, among other things, registration, risk analysis, incident reports, administrative responsibility and chain risks.

View the roadmap for the Cybersecurity Act

How can I test whether our crisis organization is well prepared?

With a Cybersecurity Tabletop, you go through a realistic cyber incident together with the decision-makers involved. This allows you to test roles, decision-making, escalation and communication and give you concrete points for improvement for your crisis approach.

Wortell is temporarily making this Cybersecurity Tabletop available for free.

Request the free Cybersecurity Tabletop

Questions about the Cybersecurity Act?

Do you want to know what the Cybersecurity Act means for your organization, supply chain or current security approach? Leave your question via the form. One of our specialists will contact you.
Our author

Gitte Thijssen

Gitte Thijssen is a Campaign Marketer at Wortell. In this role, she translates complex topics around cloud, security, and AI into clear campaigns and content that help organizations navigate their digital and AI-driven transformation.

Gitte works closely with specialists and customers to connect strategic propositions with relevant, meaningful stories. With a strong focus on audience, timing, and impact, she ensures that insights on AI, organizational design, and technology are not only shared, but truly resonate with decision-makers. Her focus is on creating campaigns that inform, inspire, and help organizations take well-considered steps toward a future-ready IT and AI strategy.