The hack on the Prosecutor's Office, in June 2025, demonstrates once again how vulnerable socially important organizations are to cyber attacks. Such an incident thus once again highlights the need for these organizations to properly organize and secure their information assets.
That need is answered by the revised Network and Information Security Directive (EU 2022/2555; "NIS2 Directive"). The NIS2 Directive requires member states to enact national legislation ensuring a high level of cyber security for entities in critical and important sectors. In the Netherlands, the NIS2 Directive is implemented in the Cyber Security Act. The proposal for this new law was submitted to the House of Representatives on June 2, 2025.
The Cybersecurity Act aims to strengthen obligations for entities in sectors with social or economic weight. In addition, the law enshrines administrative responsibility and regulates monitoring, enforcement and cooperation with so-called Computer Security Incident Response Teams ("CSIRTs"). These are specialized teams responsible for detecting, analyzing, mitigating and resolving security incidents. The Cybersecurity Act replaces the current Network and Information Systems Security Act.
The Cybersecurity Act is expected to take effect in early 2026. The central government advises against waiting for the new law to take effect. After all, the risks facing organizations and systems are already there now. Already taking action and preparing for the Cybersecurity Act? We outline the most important obligations below.
The Cybersecurity Act applies to essential and important entities. These are entities operating in sectors of particularly high social or economic importance. Essential and/or important entities include, for example:
Energy companies;
Hospitals and healthcare facilities;
Drinking water facilities;
Cloud and data center services;
Digital service providers;
Financial institutions; and
Government organizations.
The Cybersecurity Act has three main obligations, grounded in the NIS2 Directive:
Duty of care (Article 21 Cybersecurity Act; Article 21 NIS2 Directive)
Essential and/or important entities must take appropriate measures to mitigate cyber risks. The Cybersecurity Act lists minimum measures and allows for sector-specific interpretation through general measures of administration or ministerial regulations (Article 21 paragraphs 1-5).
Duty to report (Article 25 et seq. Cybersecurity Act; Article 23 NIS2 Directive)
Significant incidents must be reported to a CSIRT and the competent authority (varies by sector and type of entity). Reporting takes place in phases: an alert is submitted first, possibly followed by an interim update, and finally a final report.
Administrative responsibility (Article 24 Cybersecurity Law; Article 20 NIS2 Directive)
Directors of essential and/or significant entities are given explicit duties: they must adopt cybersecurity policies, monitor their implementation and receive continuing education on cybersecurity and risk management.
The first main obligation, the duty of care, includes ten minimum measures that organizations must take to protect their network and information systems. The measures form the core of the duty of care and are essential to structurally ensure the digital resilience of organizations. In a nutshell, the entities must:
Establish, maintain and periodically review policies for digital risk management and information system security.
Implement security aspects for personnel, access policies and asset management.
Establish procedures for business continuity, incident recovery, and crisis management.
Implement policies and procedures for the detection, reporting and handling of cyber incidents.
Provide basic cyber hygiene and awareness trainingand education to employees.
Security in acquisition, development and maintenance of network and information systems.
Establish and implement measures related to supply chain security and supplier relations.
Establish policies for use of cryptography and encryption (key management).
Establish policies for access management and access control that restrict access to systems and data to authorized individuals, such as through the use of multi-factor authentication.
Establish policies and procedures to assess and regularly review the effectiveness of the measures taken.
In preparation for the ten measures, organizations are advised to do so now:
Consider whether they fall within the definition of an essential or significant entity, and therefore within the scope of the Cybersecurity Act;
Starting with creating or updating cybersecurity policies;
Joining a CSIRT; and
Prepare internally for reporting procedures and audits.
Although the Cybersecurity Act has not yet taken effect, it is already possible for essential and important entities to register with a CSIRT. For digital service providers, there is the CSIRT-DSP, for healthcare institutions Z-CERT, and for other sectors the National Cyber Security Center (NCSC).
Registration with a CSIRT provides access to:
An incident response where help is provided to mitigate the impact of a cyber incident, analyze the cause, prevent further damage and restore affected systems;
Early warnings about current threat information and cyber threats, such as new malware variants, phishing campaigns and vulnerabilities in software or systems; and
Technical analysis and support for suspicious or damaging cyber incidents.
The Cybersecurity Act brings with it new obligations. The attorneys at Bureau Brandeis will continue to keep you informed about developments.
