Cybersecurity Act 2026: What Every SME Needs to Know Now

The Dutch parliament debated the Cybersecurity Act (Cyberbeveiligingswet) on March 23. Votes are expected in the coming weeks. If they pass — and everyone expects them to — the law takes effect in the second quarter of 2026. That's just months away.

The Cybersecurity Act is the Dutch implementation of the European NIS2 directive. Its goal: strengthening the digital resilience of organisations. Sounds abstract? It's not. This law directly affects approximately 10,000 organisations in the Netherlands. And through its supply chain requirements, many times that number. There's a good chance your business is among them.

Three Obligations You Need to Know

The Cybersecurity Act revolves around three pillars. Every organisation that falls under it must comply with all three.

1. Duty of Care

You must take appropriate technical, operational and organisational measures to safeguard the security of your network and information systems. This means: conducting risk assessments, establishing security policies, arranging incident management and training employees. Not once, but continuously.

2. Reporting Obligation

In the event of a significant cyber incident, you must file an initial report within 24 hours with the CSIRT or the regulator. A more detailed report follows within 72 hours. That's fast. If you don't have an incident procedure now, you're already too late when something goes wrong.

3. Registration Obligation

Organisations that fall under the law must register with the Dutch Digital Infrastructure Authority (RDI). This way, the regulator knows who is in scope and can enforce accordingly.

Who Does It Apply To?

The law distinguishes between essential and important entities. Essential entities operate in sectors like energy, transport, healthcare, drinking water and digital infrastructure. Important entities are active in sectors like postal and courier services, waste management, food production, chemicals and digital providers.

But here's where it gets interesting for SMEs. The law generally applies to medium and large organisations in these sectors. Small businesses with fewer than 50 employees and less than 10 million euros in revenue are mostly exempt.

Yet as a small business, you can't sit back. And that has everything to do with the supply chain.

Supply Chain Responsibility: Why It Affects You Too

The Cybersecurity Act requires organisations that fall under it to safeguard the security of their entire supply chain. This means they will impose requirements on their suppliers. And if you supply to a company that falls under the law, those requirements land on your desk.

This is already happening. IT companies report a clear increase in requests from businesses that don't fall directly under NIS2 but supply to clients that do. The questions are coming: "Do you have a security policy? How do you handle incidents? Can you prove it?"

As an installer supplying to a hospital. As an IT service provider for a transport company. As a caterer for an energy company. As an accountant for a water utility. The chain is longer than you think.

Directors Personally Liable

This is perhaps the most impactful element of the law. Directors are held personally liable for shortcomings in their organisation's cybersecurity. Not the company. You personally.

In cases of negligence, directors can not only face fines but also be temporarily removed from their position. Fines can reach up to 10 million euros or 2 percent of global annual turnover, whichever is higher.

The board must approve the risk assessment, oversee the implementation of measures and personally undergo cybersecurity training. "That's what I have my IT guy for" is no longer a valid excuse.

Three 2026 Deadlines to Remember

2026 is the year of digital compliance. Besides the Cybersecurity Act, two more deadlines affect SMEs:

Q2 2026: Cybersecurity Act (NIS2). The law is expected to take effect after parliamentary approval. Direct application for essential and important entities. Supply chain effect for suppliers.

August 2, 2026: EU AI Act training obligation. Every business using AI systems must ensure employees are sufficiently AI-literate. Fines up to 35 million euros.

August 2026: EU AI Act fully in force. Full obligations for high-risk AI systems become binding. This includes AI in recruitment, credit scoring and customer service.

Three laws, one message: digital compliance is no longer optional.

Five Steps to Prepare

You don't need ISO 27001 certification to get started. But doing nothing is no longer an option. You can tackle these this month:

1. Determine If You're in Scope

Take the NIS2 Quick Scan on the RDI website. It tells you within minutes whether your organisation falls directly under the law. Not in scope? Check whether you supply to organisations that are.

2. Conduct a Risk Assessment

Map out which systems you use, where your data lives, who has access and what happens if a system goes down. Start with the basics: which systems are business-critical? What if your email is down for a week? What if customer data is exposed?

3. Establish an Incident Procedure

Who calls whom when something goes wrong? Who has authority to shut down systems? Where are the backups? If you can't answer these questions within five minutes, you have work to do. The law requires a report within 24 hours — you need to know what to do.

4. Train Your Employees

The weakest link in cybersecurity is almost always people. Phishing, weak passwords, unsecured devices. A short training session makes a world of difference. This also connects to the AI literacy requirement taking effect in August.

5. Document Everything

Without documentation, you can't prove you've taken measures. Record which risks you've identified, which measures you've implemented and when you've trained employees. During an audit or after an incident, this is your evidence.

What Does It Cost to Do Nothing?

Let's be honest: the chance of the RDI showing up at your door tomorrow is small. But the risks are more real than you think.

A client asking if you're NIS2-compliant and you have no answer. A cyber incident where you don't know whom to call. A director held personally liable because there was no security policy. A supplier relationship ending because you can't meet supply chain requirements.

The cost of preparation is a fraction of the cost of an incident. The average damage from a cyberattack on an SME ranges from 50,000 to 250,000 euros. A risk assessment and security policy is a bargain by comparison.

Start Today

The Cybersecurity Act is no surprise. The EU published the NIS2 directive in 2022. The Netherlands has had four years to translate it into national legislation. The votes are happening now. Implementation follows shortly after.

Businesses that prepare now have three advantages. They'll be compliant when the law takes effect. They can show their clients they take cybersecurity seriously. And they'll be resilient against the threats that exist regardless — law or no law.

Want to know where your business stands? Get in touch for a free AI Scan. We'll map your digital risks, determine if you're in scope of the Cybersecurity Act and identify which steps to take first. Concrete, practical and without legal jargon.