What is the Dutch Cybersecurity Act (Cbw)?

Why the Cbw was introduced

On 17 January 2023 the NIS2 directive (Network and Information Security 2) entered into force as the successor to NIS1. NIS2 dramatically expanded scope and introduced direct board liability. Member states had to transpose NIS2 into national law before 18 October 2024.

The Netherlands did this through the Cyberbeveiligingswet (Cbw), with implementation rules in the Cyberbeveiligingsbesluit (Cbb). It replaces the earlier Wbni and entered into force in 2024-2025. Sector-specific regulators supervise: IGJ (healthcare), DNB (finance), RDI (digital infrastructure), and ministries (government).

Important: the Cbw applies directly to Dutch organisations. The binding text is the Dutch Act, not the EU directive — although the directive may be consulted as interpretation aid where the Cbw is silent.

Who falls under the Cbw?

The Cbw distinguishes essential and important entities. Essential entities are under proactive supervision (regulators may audit unannounced); important entities are under reactive supervision (only on signals or incidents).

• Essential sectors (Cbw art. 8): energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, government, space.
• Important sectors (Cbw art. 9): postal & courier, waste management, chemicals production/distribution, food production/processing, manufacturing, digital service providers, research organisations, higher education (HBO and universities).
• Thresholds: typically 50+ employees or €10M annual turnover, with exceptions for specific critical entities.

The three pillars of the Cbw

The Cbw has three main obligation areas, typically addressed in parallel during implementation:

• Cbw article 21 — Duty of care. Risk management, incident handling, business continuity, supply chain security, asset management, cryptography, access policy and cyber hygiene must be demonstrably in place. Awareness training is explicitly part of this.
• Cbw article 24 — Governance. Board members must complete cybersecurity training and are personally liable for culpable negligence. The board must actively steer implementation.
• Cbw article 25 — Reporting duty. Significant incidents must be reported in three phases: early warning within 24 hours, intermediate report within 72 hours, final report within one month.

Cbw versus NIS2 — why Dutch organisations should read Cbw first

NIS2 is an EU directive — a minimum framework leaving room for national implementation. The Cbw is the Dutch implementation and contains stricter or additional rules: e.g. the definition of "significant incident", supervisory powers, and sector designations.

For Dutch organisations: the Cbw is binding, not the directive text. A Cbw audit tests against the Cbw, not directly against NIS2. The directive can serve as interpretation aid where the Cbw is unclear.

Practical guidance: although much marketing material refers to "NIS2 compliance", supervision and enforcement always apply Dutch law. Awareness training and compliance documentation should preferably use Cbw framing primarily.

Sanctions and fines under the Cbw

The Cbw provides substantial sanctions. Essential entities can face fines up to €10 million or 2% of global annual turnover (whichever is higher). For important entities the maximum is €7 million or 1.4%.

Beyond fines, regulators have powers to issue directives, withdraw certifications, and in serious cases temporarily remove board members from their roles — a direct consequence of board liability under Cbw article 24.

In the first 12-18 months after entry into force regulators typically apply a graduated approach with focus on "reasonable progress". However the Cbw art. 24 board training requirement is enforced from day one.

Related in the knowledge base

• Cbw article 24: the board training obligation explained
• What is NIS2 awareness?
• Audit evidence for awareness

Sources

• Cyberbeveiligingswet (official text)
• Digital Trust Center — Cbw / NIS2 portal
• NIS2 directive (EUR-Lex)

FAQ

When does the Cbw apply?

The Cyberbeveiligingswet entered into force in stages during 2024-2025, with most obligations fully active in 2025. Sector-specific implementation decrees may set additional deadlines — consult the Cyberbeveiligingsbesluit (Cbb) for details.

Does my organisation fall under the Cbw?

Depends on sector and size. General threshold: 50+ employees or €10M turnover, in a designated sector. The Digital Trust Center (DTC) has an online checker.

What if I fall under NIS2 but not the Cbw?

In the Netherlands that distinction does not exist in practice. The Cbw is the Dutch NIS2 implementation; if NIS2 applies and you are based in the Netherlands, the Cbw applies. For multinationals, the main-establishment rule from NIS2 art. 26 determines the national law.

How does this relate to GDPR and NEN 7510?

Overlapping but different focus. GDPR covers personal data; Cbw covers general cybersecurity; NEN 7510 specifically covers healthcare information security. A good compliance programme addresses all three where applicable, often through one governance structure.

How do I start with Cbw implementation?

Three steps: (1) determine if you are in scope and assign an accountable board member; (2) gap analysis against Cbw articles 21, 24 and 25; (3) build an implementation plan prioritising art. 24 board training (enforced immediately) and art. 21 organisational measures.

Which regulator is responsible?

Sector-dependent: healthcare → IGJ, finance → DNB, digital infrastructure → RDI, government → BZK or competent authority. The Digital Trust Center (DTC) helps identify the relevant regulator.