On March 7, 2025, the Internet consultation of the draft implementation law Regulation Cyber Resilience was launched. This bill regulates the implementation of the Regulation on Cyber Resilience, or Cyber Resilience Act, which came into force on December 10, 2024, in the Netherlands. The consultation period runs through April 6, 2025.
Consumers, businesses and other organizations in the EU need to be confident that the digital products they use are secure. This is also important for Europe's digital resilience. The European Cyber Resilience Regulation (or CRA) therefore introduces cybersecurity requirements for all products with digital elements. This includes hardware, software and individual components that will be made available on the market in the European Union from December 11, 2027. From Sept. 11, 2026, manufacturers of these products will be subject to notification requirements for actively exploited vulnerabilities and serious incidents. The regulation has direct effect and is therefore not transposed into national legislation. However, an implementing law should determine who will be designated to implement, supervise and enforce the CRA in the Netherlands, as well as the associated penalty powers and legal protection.
You can comment on the draft bill addressing these issues:
The bill designates the Minister of Economic Affairs, in practice the Rijksinspectie Digitale Infrastructuur (RDI), as the authority responsible for the procedure to assess, notify and monitor conformity assessment bodies. The bill thereby stipulates that the assessment and monitoring of these bodies should be done through accreditation.
In addition, the proposal places supervision and enforcement in the hands of the Minister of Economic Affairs (RDI), as the national market surveillance authority, which is given the power to impose administrative fines of the maximum size prescribed in the regulation in case of violation.
An appeal procedure for the decisions of the market regulator is also established.
Finally, the draft proposal designates the National Cyber Security Center (NCSC) as the Computer security incident response team (CSIRT) that will be in charge of setting up and implementing the mandatory notification hotline for actively exploited vulnerabilities and serious incidents.
From March 7 to April 4, 2025, anyone can comment on the draft implementing law Regulation Cyber Resilience.. The purpose of the consultation is to involve stakeholders in the creation of this implementing law. After the consultation period has ended, all responses will be reviewed and, where necessary, incorporated into the implementing law.
Please visit overheid.nl to see the draft implementation law To participate in the consultation.
