
Cybersecurity Act effective August 15, 2026: what you need to know
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

What exactly is the Cybersecurity Act?
The Cybersecurity Act is the Dutch implementation of the European NIS2 Directive. It replaces the current Network and Information Systems Security Act (Wbni) and imposes stricter cybersecurity requirements on organizations across 18 different sectors. Think of energy, drinking water, digital infrastructure, healthcare, government, and transport.
Starting August 15, 2026, new obligations will apply to approximately 10,000 organizations in the Netherlands. And that is just the tip of the iceberg, as the law also has a ripple effect throughout the supply chain. Are you a supplier to an organization covered by the law? Then you will still have to deal with it through your client. This is expected to affect tens of thousands of suppliers.
No transition period
This is perhaps the most important thing to remember: there is no transition period. As of August 15, you must be in full compliance with the law. Not in six months, not "when you have time." Immediately.
For organizations covered by the law, this means, among other things:
- Registration requirement. You must register in the entity register of the National Cyber Security Centre (NCSC). This is mandatory as of August 15.
- Duty of care. You must take appropriate measures to manage the risks to your network and information systems.
- Reporting obligation. You must report significant cyber incidents.
- Management accountability. The board is explicitly responsible for managing cyber risks and must possess sufficient knowledge to do so.
Three common misconceptions
1. "The law probably won't go through anyway."
That is outdated. The law has been passed, the content has not been watered down, and the effective date is set.
2. "This doesn't apply to us."
Even if you aren't directly covered by the law, you may still be affected through your supply chain. Large clients who are subject to the law will ask their suppliers to demonstrate that they also operate securely. If you cannot do so, there will be consequences.
3. "There won't be much oversight."
Also untrue. There are ten authorized regulators that will monitor and enforce compliance both proactively and reactively. Inspections will take place, and you must be able to demonstrate that you have taken appropriate measures.
How do you show that you are compliant?
There is no such thing as an official "NIS2 certificate." The law itself does not prescribe a specific quality mark. However, that does not mean there is nothing you can do to demonstrate that you have your affairs in order. There are a few routes that work well in practice:
- The NIS2 Supply Chain quality mark. This independent label has three levels (SC10, SC20, and SC30), tailored to your risk profile and the role you play in the supply chain. Especially for suppliers who need to demonstrate that they work securely, this is a manageable route.
- ISO 27001. Do you already have this certification? Then you are already well on your way. Large parts of your existing management system count toward compliance, making the path to demonstrable NIS2 compliance much faster.
- Sector-specific standards. If you work in healthcare, then NEN 7510 is relevant. If you work in the public sector, then the BIO a role. The content of these standards aligns well with the requirements of the Cyber Security Act.
{{LINKCARD}}
What can you do right now?
Waiting until August 15th is not an option; there is simply too much work to be done. Here are a few things you can start on today:
- Determine whether your organization falls directly under the law or if you will be affected through your supply chain.
- Prepare your NCSC registration. This takes more time than you might think.
- Map out where you currently stand in relation to the requirements, for example by conducting a gap analysis.
- Determine which route (NIS2 Supply Chain, ISO 27001, or a combination) best suits your organization.
Need help determining your route?
The Cyber Security Act is new to everyone, and no two organizations start from the same position. At Fendix, we help companies every day to make these types of processes manageable, from an initial gap analysis to full guidance toward demonstrable compliance.
Would you like to know where your organization stands and which steps make the most sense for you? Schedule a no-obligation, free consultation with us; we are happy to think along with you without any strings attached.




.webp)
















