Article 24 of the Dutch Cybersecurity Act (Cbw) requires board members of Cbw-regulated organisations to demonstrably complete cybersecurity training — and imposes personal liability for culpable negligence. This is a direct transposition of NIS2 article 20. Who falls under it, what the training must cover, how to document it, and the consequences of non-compliance? Everything boards and supervisory boards need to know about Cbw art. 24.
Who must complete board training?
The training requirement applies to "persons belonging to the body that holds the leadership" of a Cbw-regulated entity. In Dutch terms:
- Executive Boards (Raad van Bestuur)
- Supervisory Boards (Raad van Toezicht / Raad van Commissarissen)
- Directors and director-shareholders in entities without a formal board
- Aldermen, deputies, and daily executive board members in government entities
- Executive board members at universities and polytechnics (HBO and WO fall under the Cbw)
What must the training cover?
The Cbw does not prescribe a specific curriculum, but the Cyberbeveiligingsbesluit (Cbb) and regulators have published guidance. Training must enable board members to identify cybersecurity risks and assess their impact on the organisation and its services.
In practice this means: current threat landscape, Cbw obligations and governance role, personal liability, incident reporting and escalation, and translating technical risk into business strategy.
Crucially, training must be aimed at decision-makers. A general security awareness module designed for employees is not sufficient — boards need governance-level training, not user-level training.
Frequency and scope
Cbw art. 24 says "regularly". Regulator guidance interprets this as a minimum of one formal training session per board member per year, supplemented with interim updates on significant incidents or regulatory changes.
Total time investment is typically 4-8 hours per board member annually: 2-3h initial training, 2-3h refresher/depth, 1-2h scenario or table-top exercise. Multiple short sessions of 30-60 minutes work better than a single long annual session.
New board members must complete training within 6 months of appointment. Existing members typically have a 12-24 month grace period from Cbw entry into force, then annual refresh.
Documentation and evidence
Evidence is critical: in supervisory actions the first question is almost always "show that the board has been trained." What to document:
- Per board member: name, training date, content, duration, provider, completion proof
- Per organisation: training schedule for current and next financial year
- Per agenda: board meetings where cybersecurity was discussed, with minutes
- Per incident: when the board was informed, decisions taken, follow-up agreed
- Tamper-proof logs (timestamps + audit trail) are stronger than loose certificates
Personal liability — what does it mean concretely?
Cbw art. 24 introduces direct personal liability for board members in case of culpable negligence. This is a break with the older regime where only the organisation was liable.
In severe cases regulators can impose personal fines, temporarily remove board members, and refer suspicions of criminal acts to the prosecutor. Civil liability for damage to third parties is also possible.
"Culpable" typically means: knowing or reasonably having to know about a risk, and not taking appropriate measures. A board member who can show they completed training, raised the topic, and made reasonable decisions is generally protected. One who never trained and systematically delegated cybersecurity without independent judgement is not.
Common mistakes
In the first implementation cycle regulators see the same patterns:
- Using generic employee awareness modules for the board — that is a tickbox, not demonstrable governance training
- Fully delegating cybersecurity to the CISO without board verification of progress
- No documentation of board meetings where cybersecurity was discussed
- Confusion between "compliance" and "security" — an organisation can be Cbw-compliant on paper while operationally vulnerable
- Late onboarding of new board members — gaps are immediately auditable
See how 2LRN4 turns this topic into a workable Cbw programme with training, phishing simulation and board reporting.
View the Cbw / NIS2 pageRelated in the knowledge base
Sources
FAQ
Can the training be delivered online?
Yes. Cbw art. 24 does not prescribe a specific format. Online, hybrid and classroom training are all acceptable as long as completion is demonstrable and content is appropriate.
Does this also apply to supervisory boards?
Yes. The Cbw refers to "the body holding leadership", which in the Netherlands includes both executive (RvB) and supervisory (RvT, RvC) boards. Both require training, possibly with different emphases.
What if a board member refuses training?
Formally a negligence by the organisation, materially by the board member. The supervisory board can and must intervene; persistent refusal can lead to removal.
Does an MBA with a cybersecurity course count?
Not automatically. Training must be demonstrably aimed at the cyber role of a Cbw board member. A general MBA course rarely meets the specificity regulators expect.
What is a reasonable budget?
Per board member typically €500-€2,000/year for a professional programme with certification, e-learning and annual update session.
How does this differ from Cbw art. 21 awareness?
Art. 21 requires general awareness training for all employees. Art. 24 requires specific board training. Both are mandatory and complementary — different programmes, not one shared track.