The Cybersecurity Act ("Cbw") is expected to take effect in the second quarter of 2026. The Cbw aims to strengthen cyber obligations for entities in sectors with social or economic weight. The Cbw also includes provisions on oversight, enforcement and additional responsibilities for directors of so-called key or significant entities.
In this blog, we discuss the responsibility of directors of so-called essential and significant entities. We address what the Cbw requires of directors, what knowledge and skills they must possess, and how they can share duties with, for example, the Chief Information Security Officer ("CISO").
The Cbw makes directors ultimately responsible for compliance with all Cbw obligations. Among other things, directors must ensure that the organization is registered with the National Cyber Security Center's digital counter. In addition, directors maintain contact with regulatory agencies and Computer Security Incident Response Teams ("CSIRTs") when significant incidents occur. Directors identify relevant cyber risks, establish and approve appropriate control measures, and actively monitor implementation
Responsibility rests with the formal board or, in the case of a one-tier board, the executive directors. In other legal forms, responsibility rests with the actual directors. For government agencies, the minister, the board of mayor and aldermen or the executive board are responsible.
Required knowledge and skills
Directors can only make decisions if they have sufficient knowledge about cybersecurity. Therefore, they are required to attend regular training courses on cyber security This training obligation enables them to understand risks, assess measures and their impact, and make informed decisions. From the entry into force of the Cbw, a transition period of two years (or, in the case of new appointments, two years after taking office) applies. After that, directors must demonstrably keep their knowledge current, including through training with certification.
Every director in each must have knowledge and skills to:
Be able to identify risks to the security of network and information systems;
Be able to assess risk management measures; and
Be able to assess the impact of risks and risk management measures on service delivery.
In practice, this means that directors:
Be able to recognize and interpret typical threats and vulnerabilities. These include, for example, malware/ransomware, phishing, insider threats, supply-chain risks, Distributed Denial of Service attacks, misconfigurations and third-party dependencies;
Have an understanding of the risk management process: how risks are identified, analyzed, prioritized and addressed, how the risk register and reporting lines function, and the organization's risk appetite and thresholds; and
Be able to assess and prioritize risk management measures and weigh their impact against effectiveness, proportionality and cost.
The exact knowledge requirements may be specified by order in council.
In addition to the requirements around knowledge and training, the Cbw also prescribes what directors must do in practice. The main managerial duties are:
1. Integrate cyber risk management
Cybersecurity is a core component of risk strategy.
The board is ultimately responsible for an effective risk management process that is continuously monitored and improved.
2. Adopt and approve policies.
The board adopts and approves the information security policy.
Policies include preventive measures, incident response, training and supply-chain security.
3. Incident management and notification requirements.
The Board ensures a well-established incident response procedure, including Operatioonal Technology ("OT") systems. A vulnerability in IT can directly affect physical processes in OT. Administrators must therefore ensure an integrated approach, in which incident response includes OT scenarios and risks from both domains are managed in conjunction.
Significant incidents are reported to supervisors and CSIRTs in a timely manner.
To implement and flesh out cybersecurity policies, many organizations appoint a CISO. Appointing a CISO is not mandatory, but recommended for large organizations.
The board remains ultimately responsible for compliance with the Cbw; a CISO serves in support. For example, a CISO can:
Advising: translating technical risks into strategic and operational impact;
Coordinate: monitor implementation and progress of measures; and
Monitor: review compliance with policy and report periodically.
Administrators who fail to take responsibility, or take insufficient responsibility, for compliance and fulfillment of the Cbw run the risk of civil liability. In addition, supervisors may take enforcement action against them.
The Cbw makes cyber resilience a key priority for directors. The new law brings many new obligations, responsibilities and risks for directors of essential and important entities. So for directors, it is important to inform and prepare in a timely manner.
Want to know what obligations apply to you as a director and how you can legally protect your organization and yourself? Then contact Anna Sträter, Bente van Kan, Wouter Fledderus, Machteld Robichon or Ole Oerlemans.
Want to know more about the Cbw? Read our other blogs:
The Cybersecurity Act: new legal foundation for digital resilience
