Quick scan of cybersecurity regulations and obligations



Advice on the implications of cybersecurity legislation


A complex landscape of laws and (sectoral) regulations has emerged in the field of cybersecurity. In addition to existing privacy legislation (GDPR), which mandates appropriate security of personal data and the reporting of data breaches, extra and partly comparable obligations have been introduced for companies and government bodies in the field of cybersecurity.

 

For many companies and government bodies, it is unclear, or insufficiently clear, exactly which obligations they must comply with and what these consist of. Our specialists are happy to assist you with legal advice regarding which cybersecurity legislation applies to your organization and what this means for you in practice.

 

Overview of European and national legislation


Below is a – non-exhaustive – overview of European and national legislation by way of illustration.


Network and Information Systems Directive 2 (NIS2) and Cybersecurity Act


The NIS2 is a European directive that sets strict cybersecurity rules for companies from various sectors (provided they have a certain 'size').


The 'Cybersecurity Act' (Cbw) is expected to enter into force in 2026. The Cbw implements the NIS2 Directive, and pursuant to this, companies will have a duty of care regarding the security of their IT environment. More specifically, companies active in certain sectors and government agencies(!) will be required to take appropriate security measures to protect their network and information systems against incidents. They will also be required to report significant IT incidents to the relevant supervisory authority.


It is not easy to understand the NIS2 and the Dutch Cbw. It is complex legislation.

Whether your organization falls under the Cbw depends on the sector in which you operate and your size (in terms of number of employees and annual turnover). The duty of care is elaborated with ten (minimum) security measures listed in the NIS2 and the Cbw, but further (sectoral) rules may be established by the EU or the Dutch government for specific sectors and/or types of entities. The same applies to the reporting obligation; while the NIS2 and Cbw determine when an incident is 'significant' and must be reported, within which timeframe(s), and what information must be provided, it is described quite broadly with much room for interpretation, and here too, further supplementary rules can be and have already been established for specific entities or sectors.


The Board must approve the measures and supervise their implementation. Failure to do so may lead to directors' liability, fines, and sanctions (such as the suspension of a member of the Board).

It is important to obtain sound and thorough legal advice regarding the NIS2 and Cbw, and our specialists at De Vos & Partners Advocaten are happy to assist you with this.


DORA (Digital Operational Resilience Act)


The financial sector must continue to function resiliently in the event of serious operational disruptions. To this end, DORA has been introduced by Europe, a regulation that aims to achieve a high common level of 'digital operational resilience' for the financial sector. DORA applies to almost all financial entities regulated in the EU (including banks, insurers, investment firms, pension funds, and payment service providers).


The DORA sets requirements regarding:


  • IT risk management (implementation of risk framework);
  • Periodic testing of digital resilience and risk management when outsourcing to (critical) third parties (including contractual requirements);
  • Reporting serious ICT-related incidents to the competent authority (incl. notification obligation to affected parties);


Ultimate responsibility lies with the management body, and just as with NIS2 and the (draft) Cybersecurity Act, heavy fines can be imposed for non-compliance.

The DORA has been in effect since January 2025, and from that moment on, the rules must be implemented by companies active in the financial sector.


It is important to note that the DORA also applies to ICT suppliers of financial institutions designated as critical by the EU: they come under the direct supervision of the European financial regulators.

CRA (Cyber Resilience Act)

The CRA is an EU-wide regulation for the (cyber)security of digital products throughout their entire lifecycle. In short, the cybersecurity requirements of the CRA apply to manufacturers and distributors/importers of hardware and software. Most obligations apply to manufacturers; they bear full responsibility for a secure product and are required, among other things, to assess conformity. Depending on the type of product (regular, major, or critical), this is done via self-assessment or assessment by an external party.

Importers, too, are required to guarantee the safety of their digital product and actively verify whether products comply with the CRA. If an importer markets the product under their own brand, the importer is considered the manufacturer, and all CRA obligations applicable to a manufacturer apply.

Distributors are required to exercise only appropriate due care. This also means that they must check for the presence of a CE marking on the digital product.

From CRA:


  • Sets requirements for products with digital elements (i.e. software and hardware, such as 'smart devices')
  • Introduces, among other things, a duty of care for manufacturers regarding cybersecurity for the entire lifecycle (incl. development phase) and an obligation to report vulnerabilities and incidents.
  • Imposes an obligation to effectively handle vulnerabilities during the lifecycle and to make security updates available for at least 5 years

The security requirements of the CRA must be applied to hardware and software products placed on the market in the EU as of December 11, 2027. However, as of September 11, 2026, manufacturers of these products are already subject to a reporting obligation regarding actively exploited vulnerabilities and serious incidents.


With regard to supervision and enforcement, this is further elaborated in the Dutch 'Implementation Act for the Cyber Resilience Regulation' (currently still in draft). For the time being, supervision and enforcement will be vested in the Ministry of Economic Affairs; however, in practice, this will be the National Inspectorate for Digital Infrastructure (RDI).

De Cybersecurity Act

In Dutch also referred to as the 'Cybersecurity Regulation'.

Thanks to the Cybersecurity Regulation, the European Union Agency for Network and Information Security (ENISA) receives more tasks and resources. The goal is, among other things, to assist EU Member States with cyberattacks.

It also provides a framework for a European certification system enabling companies to apply for a European security certificate for their ICT products, services, and processes in the future (which is recognized in every Member State). To that end, 'cybersecurity certification schemes' can be established. The European Commission (EC) will be empowered to adopt European security certificates for categories of ICT products, services, and processes. By way of illustration: the 'European Cybersecurity Scheme on Common Criteria' (“EUCC”) has already been adopted and governs certification for ICT products.