Introduction: The Upcoming Cyber Shift

Businesses today operate under constant pressure from two fronts: the escalating sophistication of cyber threats and a new wave of regulations designed to counter them. At the forefront of this regulatory shift is the European Unionโ€™s new cybersecurity rule, NIS2, which establishes a high common standard of digital resilience across all member states.

In the Netherlands, this directive is being implemented as the Cyberbeveiligingswet (Cbw). However, recent news has confirmed that its official enforcement has been delayed, with the new target set for the second quarter of 2026. For many, this delay might seem like a welcome reprieveโ€”a chance to push a complex compliance project further down the road.

This is a dangerously misleading assumption. Ignoring the Cbw until its formal enforcement date is a major strategic mistake. The lawโ€™s impact is already taking shape, and the risks of inaction are immediate and substantial. Here are the five most surprising and impactful reasons why your organization must act now.

1. Itโ€™s Not Just for Power Grids Anymore: The Lawโ€™s Massive Scope

While the previous cybersecurity law (the Wbni) primarily focused on traditional critical infrastructure, the new Cbw dramatically expands its scope. This expansion reflects the governmentโ€™s recognition that societal functions are now critically dependent on the digital operations of sectors like food production and waste management, which have become prime targets for disruptive cyberattacks.

The law now applies to a wide array of new sectors. This includes organizations involved in Waste Management, Food production and distribution, Chemical manufacturing, and other Critical Manufacturing sectors, such as the production of electronics, machinery, and motor vehicles.

Inclusion is determined by a straightforward โ€œsize-cap rule.โ€ All medium and large organizations within these sectors are now covered. A โ€œmediumโ€ organization has at least 50 employees or an annual turnover or balance sheet total of over โ‚ฌ10 million. A โ€œlargeโ€ organization has over 250 employees, or an annual turnover exceeding โ‚ฌ50 million and a balance sheet total exceeding โ‚ฌ43 million.

The impact is profound: countless businesses that never considered themselves part of the national critical infrastructure now face significant new legal obligations. Crucially, the inclusion of manufacturing sectors acknowledges the convergence of information technology (IT) and operational technology (OT), demanding a unified security strategy that protects both corporate networks and industrial control systems.

2. The Board of Directors Is Now Personally on the Hook

The Cbw elevates cybersecurity from an IT problem to a non-delegable, board-level responsibility. The law codifies this by imposing three core governance mandates directly on the management body:

  • The management body must approve the organizationโ€™s cybersecurity risk-management measures.- They must oversee the implementation of these measures.- They are required to follow a recognized training program to gain sufficient knowledge to identify and assess cybersecurity risks and be able to demonstrate this with a certificate.

Embedded content

This creates an explicit and enforceable fiduciary duty. The gravity of this change is captured in the directiveโ€™s text, which states that management bodies โ€œcan be held liable for infringements.โ€

This fundamentally changes the nature of executive liability. The mandatory, certified training requirement is designed to eliminate โ€œplausible deniabilityโ€ for board members regarding cybersecurity oversight. Failure to attend this training is, in itself, an auditable violation, making it clear that while operational tasks can be delegated, the ultimate responsibility for cybersecurity resilience now rests squarely in the boardroom.

3. The Official 2026 Deadline Is a Mirage

The facts are clear: the Netherlands will miss the original EU deadline of October 17, 2024, to implement the directive. The new target for the Cbw to formally enter into force is the second quarter of 2026. However, treating this date as the starting line for compliance efforts is a critical error.

The Dutch government (Rijksoverheid) has explicitly and strongly advised organizations not to wait for the law to become active. Its official guidance is unambiguous:

De Rijksoverheid adviseert organisaties om niet af te wachten totdat de Cyberbeveiligingswet inwerking treedt. De risicoโ€™s die organisaties en systemen lopen, zijn er immers nu ook al.

โ€œThe national government advises organizations not to wait until the Cybersecurity Act enters into force. After all, the risks that organizations and systems run already exist.โ€

This creates a โ€œ2025 preparation window.โ€ While the law may not be formally enforceable until 2026, its requirements are already known. If a major cyber incident were to occur before the enforcement date, a demonstrable lack of preparation based on the Cbwโ€™s published standards could be viewed as managerial negligence, regardless of the lawโ€™s official status.

4. It Creates a โ€œRegulatory Domino Effectโ€ in Your Supply Chain

One of the most significant but least obvious impacts of the Cbw is the โ€œregulatory domino effectโ€ it will trigger throughout the Dutch economy. The law doesnโ€™t just apply to individual companies in isolation; it addresses the systemic risk present in modern, interconnected supply chains.

The Cbw mandates that regulated entities, particularly large โ€œEssential Entities,โ€ must actively manage the cybersecurity risks within their own supply chains. In practice, this means these larger companies will be legally required to audit and manage the security of their external service providers and acquisitions, ensuring suppliers meet security thresholds equivalent to their own.

This requirement functionally compels smaller suppliersโ€”even those who may not fall directly under the Cbwโ€™s size rulesโ€”to adopt NIS2-level security standards through mandatory contractual clauses. For suppliers, this means that demonstrating Cbw-aligned security is no longer just a defensive measure, but a commercial differentiator essential for retaining and winning contracts with larger clients.

5. The Fines Are Big Enough to Get the CFOโ€™s Attention

To ensure compliance is taken seriously, the Cbw introduces severe, GDPR-scale financial penalties for violations. These sanctions are designed to be a substantial deterrent and are structured in two tiers based on an entityโ€™s classification:

  • Essential Entities: Subject to fines of up to โ‚ฌ10 million or 2% of the entityโ€™s total worldwide annual turnover, whichever is higher.- Important Entities: Subject to fines of up to โ‚ฌ7 million or 1.4% of the entityโ€™s total worldwide annual turnover, whichever is higher.

The comparison to GDPR is intentional and gives a familiar frame of reference for the financial magnitude of these penalties.

These sanctions elevate cybersecurity failures to a material financial risk. This means non-compliance is no longer just an operational issue; itโ€™s a financial threat that requires board-level attention, explicit consideration in financial reporting, and integration into enterprise-wide risk management frameworks.

Conclusion: A New Baseline for Business Resilience

The Cyberbeveiligingswet is not just another IT compliance checklist. It represents a fundamental shift that embeds cybersecurity directly into corporate governance, supply chain management, and financial risk assessment, establishing a new, non-negotiable aspect of enterprise risk management on par with financial or operational risk.

Waiting for the formal enforcement date in 2026 is an unsustainable strategy. The boardโ€™s new personal liability is the driving force that necessitates a robust, defensible budget for managing the โ€œregulatory domino effectโ€ in the supply chain. A failure in a supplier could now directly lead to an auditable breach of fiduciary duty, exposing the organization to material financial risk. The law establishes a new, higher baseline for business resilience in an increasingly hostile digital world.

With cybersecurity now a core fiduciary duty, is your leadership team truly prepared to answer for it?