The Cyberbeveiligingswet comes into force on 15 August. Here's what it means.
The Eerste Kamer approved the Cyberbeveiligingswet on 7 July 2026, and it comes into force on 15 August. It's the Dutch implementation of NIS2, and after several years of delay and speculation about whether it would be watered down, the final text is confirmed. There is no transition period. From 15 August, around 8,000 organisations across 18 sectors are directly in scope, and many more will be pulled in through their customers.
If you're not sure whether your organisation is affected, we built a short check for exactly that question: simler.ai/cbw-check. It takes a few minutes.
What changes
The core of the law is a duty of care. You're expected to take appropriate technical and organisational measures against cyber risk, and to be able to demonstrate them when a supervisor asks. Ten sector authorities can inspect and enforce, so "demonstrate" is meant literally.
A few specifics are worth knowing. Significant incidents have to be reported quickly: an early warning within 24 hours and a fuller report within 72. Board members are now personally accountable for cyber risk management and have to understand it well enough to judge the measures, so this can no longer sit quietly with the IT department.
Then there is the supply chain. If your organisation is in scope, you're also responsible for the cyber risk your suppliers introduce, which means you'll be expected to hold them to the same standard. In practice this reaches far beyond the 8,000 organisations the law names. If you deliver to a hospital, a bank, a utility or a government body, you'll be asked to show that your own security is in order, whether or not the law names you directly. A lot of companies who assumed this wasn't their problem are about to find it in their contracts.
The shift here is sharper than it looks. Most organisations already have a security policy and an incident response plan on file. What the law demands is that you can prove they actually work. One of the duty-of-care measures is testing the effectiveness of your response, and a plan that has never been run under pressure is exactly the kind that fails when it matters and can't be defended to a supervisor afterwards.
How we can help
This is what simler is built for. We run cyber crisis simulations, tabletop exercises, based on your own context: your systems, your policies, and how your organisation actually works. AI fills the roles you can't easily staff for an exercise, the scenario adapts as your team responds, and every session ends with a debrief report. That report is evidence you can put in front of a supervisor, and it's also a clear set of learnings and next steps: where the response held, where it broke, and what to fix before the next one.
Readiness is not a fixed state you reach once. Teams change, responsibilities shift, and the threats you rehearsed last year are not the ones you'll face this year. A single exercise gives you a snapshot and a false sense of security; it says very little about how your team will perform in six months. The value is in the repetition: running the exercise often enough that responding to a crisis becomes something your people have actually practised, rather than something they improvise for the first time under real pressure. That's what we mean by repeatable readiness, and it's what the testing requirement in the law is really asking for.
If you want to know where you stand right now, the CBW check is a sensible first step, and we're happy to talk through what a first simulation would look like for your team.
Frequently asked questions
When does the Cyberbeveiligingswet come into force?
On 15 August 2026. The Eerste Kamer approved the law on 7 July 2026, and there is no transition period: from the start date, around 8,000 organisations across 18 sectors are directly in scope.
Is my organisation affected by the Cyberbeveiligingswet?
The law directly names around 8,000 organisations across 18 sectors, but the supply-chain provisions reach much further: if you deliver to a hospital, a bank, a utility or a government body, you'll be asked to demonstrate your own security is in order. The CBW check at simler.ai/cbw-check answers it in a few minutes.
What do organisations have to demonstrate?
The core is a duty of care: appropriate technical and organisational measures against cyber risk, demonstrable when a supervisor asks. That includes testing the effectiveness of your response — a plan that has never been run under pressure can't be defended afterwards.
What changes for board members?
Board members are now personally accountable for cyber risk management and have to understand it well enough to judge the measures. It can no longer sit quietly with the IT department.
Ready to practice it for real?
Generate a tabletop exercise tailored to your organization in minutes.
Sign upKeep reading
What NIS2 Article 21 actually requires for cybersecurity exercises
NIS2 doesn't just ask for technical controls. Article 21 expects you to test how well your organization responds — and to prove it. Here is what that means in practice.
How to run a tabletop exercise: a step-by-step guide
From objectives to debrief: the seven steps of a tabletop exercise that actually changes how your team responds — and the mistakes that flatten most of them.
AI-driven vs consultant-led tabletop exercises: an honest comparison
Consultant-led tabletops cost thousands and happen once a year. AI-driven exercises cost a subscription and happen monthly. Here is where each model wins — without the vendor gloss.