studenten lopen door de gang
News

Cybersecurity Act: current status, timetable and implications for higher education

The Cybersecurity Act (Cbw) comes into force on 15 August 2026, but not yet for higher education. Why is that? In this article, you can read why it is taking longer for higher education institutions and what you can do now to prepare.

Why is there still no specific date of entry into force?

The Cybersecurity Act (Cbw) is the Dutch implementation of the NIS2 Directive, which was adopted in November 2022. EU Member States were required to transpose this directive into national law by October 2024 at the latest.

The European deadline has therefore already passed, which is why the government wishes to bring the Act into force as soon as possible following its approval by the Senate. The Senate passed the Act on 7 July 2026. This means that the Act will come into force on 15 August 2026. For most sectors, the Act will apply immediately, but the situation is different for higher education.

Visuele tijdlijn NIS2: van 2022 tot 2026

A Dutch timeline of NIS2

Why is it taking longer for higher education?

The fact that the Cbw will not come into force for higher education until later is due to the structure of the European NIS2 Directive. Unlike, for example, the GDPR, the NIS2 Directive does not apply to all organisations, but only to sectors that are explicitly named. These sectors, such as healthcare and banking, are obliged to comply with the legal provisions of the NIS2 Directive. They have therefore known for several years that this was coming their way.

Only the education sector is an exception: under the NIS2 Directive, EU Member States are free to decide for themselves whether educational institutions fall within the scope of the legislation. The Netherlands did not take a decision on this until April 2025. At that time, the then Minister for Education announced his intention to designate publicly funded higher education institutions as organisations to which the Cyber Security Act would apply (other educational institutions are therefore not covered). As a result, it was not until much later that it became clear to these institutions that they would have to comply with the Act, and the Ministry of Education also had to set about drawing up the necessary regulations and agreements afterwards.

Given the tighter deadlines, an exception has therefore been included in the Act for the education sector: to give educational institutions time to prepare, the date by which they must comply with the duty of care has been postponed for them.

What does this mean in practice for higher education?

For most sectors, the Cbw obligations will apply immediately once the Act comes into force. The situation is different for the education sector: the designation of institutions is carried out via a ministerial regulation issued by the Ministry of Education, Culture and Science (OCW), namely the Higher Education Cybersecurity Regulation. That decision may also be taken after the Act has come into force.

Moreover, the Ministry itself still needs time to put the necessary framework in place, such as designating the relevant institutions, the supervisory authority and the CSIRT. For this reason, the Minister will not bring the Higher Education Cybersecurity Regulations into force until some time after the Act comes into force. The aim is to do this as soon as possible after the Cbw comes into force, which is expected to be in the winter of 2026. From that moment onwards, the Cbw obligations will apply to publicly funded higher education. The duty of care set out in the Act will come into force three years later.

In summary, the timetable is as follows:

  • 15 August 2026: The Cyber Security Act comes into force for all sectors already designated in the directive in 2022.
  • Winter 2026 (expected): official designation of publicly funded higher education and the entry into force of the majority of the Cbw obligations.
  • Three years after the official designation: entry into force of the duty of care for publicly funded higher education.
NIS2 fasering rechten en plichten per 15 augustus 2026 voor bijna alle sectoren of hoger onderwijs.

Phasing in of rights and obligations under the Cybersecurity Act

What can you, as a higher education institution, do right now?

Although the definitive start date has not yet been set, you can already start preparing as an educational institution:

  • register your institution now to comply with the registration requirement – use the registration guide for this;
  • Prepare for the reporting obligation and, ideally, start using the reporting procedure on a voluntary basis now;
  • Read all the relevant articles on preparing for the Cyber Security Act on our Cbw focus page.

Also take a look at the frequently asked questions about the Cbw. If you’re still unsure, please contact us via sec@surf.nl.

About the Cybersecurity Act

The Cybersecurity Act (Cbw) is the Dutch implementation of the NIS2 Directive and requires a structured approach to governance, risk management and incident response. For SURF and the members concerned, this means not only complying with legal obligations, but also working together to achieve a higher level of digital resilience. On the Security Expertise Centre website, you will find guidance and resources to help you get started right away.

The original article can be found on the website of the Security Expertise Centre.

Related topics: