What are you looking for?

Most searched:

Most searched:

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.
podcastopname met Albert Hankel (links op foto) en Niels Weijers (rechts op foto).
Podcast

SURFshort

What you need to know about... The Cybersecurity Act

Are we prepared for a major cyberattack? This question is more relevant than ever. In this episode, host Niels Weijers talks to Albert Hankel, team leader Security & Privacy at SURF, about the new Cyber Security Act (Cbw). What does this act entail? What will change for institutions? And how can you ensure that you not only comply with it, but also become stronger as a result?

This podcast is in Dutch

With recent incidents in education and increasing digital dependence, cyber security is high on the agenda.

What is this episode about?

In this episode, you will hear, among other things:

  • What exactly the Cyber Security Act entails
  • What reporting obligations, registration obligations, duty of care and supervision mean
  • Elements that have not yet been finalised in the proposed Act
  • What this means in concrete terms for administrators
  • How SURF and SURFcert support institutions
  • Why this Act must be more than just a compliance exercise

What is the Cybersecurity Act?

The Cybersecurity Act is the Dutch implementation of the European NIS2 Directive. The Cbw requires certain sectors to demonstrate that their cybersecurity is in order. The Act has not yet been fully passed by Parliament, but Albert expects it to come into force on 1 May 2026.

The Act consists of four key components:

  1. Reporting obligation
    Serious cyber incidents must be reported to the competent authorities.
  2. Registration obligation
    Organisations must register and provide insight into their digital infrastructure so that they can respond quickly to threats.
  3. Duty of care
    Institutions must comply with a set of risk-based cybersecurity measures, including attention to chain and supplier management.
  4. Supervision
    Compliance will be supervised. Depending on the classification (essential or important entity), this will be done proactively or retrospectively. Directors will also be explicitly responsible for ensuring that cybersecurity is in order. They must demonstrate knowledge of cyber risks.

The NCSC is responsible for setting up these processes and wants to organise them centrally as much as possible. For the time being, SURFcert has been designated as the sectoral facility for higher education. 

Why is this law necessary?

Digitisation is becoming increasingly intertwined with primary processes in education and research.  If these systems fail or are attacked, this has a direct impact on society.

It is not only the physical infrastructure that needs to be secured. The same applies to the digital infrastructure. The law sets a minimum standard and ensures a level playing field within Europe.

What does this mean for higher education?

The Netherlands has announced its intention to bring higher education under the scope of the law. As of 1 May 2026, this will mean the following for institutions:

  • They must register.
  • They must be able to report serious incidents.
  • They must comply with the duty of care within three years.
  • Administrators will be given additional responsibilities and will be required to undergo training and obtain certificates in the field of cybersecurity

SURF, SURFcert, OCW and the Education Inspectorate are in discussions about the exact details, such as the definition of a “serious incident” and how supervision will be organised. But also how to make the threshold for reporting minor incidents as low as possible, so that the sector can learn from these incidents.

An important principle of SURF is that the sector must not only comply with the law, but also become stronger as a result. For example, through knowledge sharing and joint support.

What are the benefits for institutions?

Many institutions are already well advanced in the field of cybersecurity. For example, they work with the SURFaudit information security assessment framework.

Nevertheless, the Cybersecurity Act adds additional elements, such as:

  • A stronger focus on risk-based working
  • Mandatory chain and supplier management
  • Formal administrative responsibility

The challenge is to view the Act not only as an obligation, but also as an opportunity to structurally raise cybersecurity to a higher level. One component of the Cybersecurity Act is that SURFcert must provide assistance to institutions. Although this is already happening, the Act will soon offer scope to shape that support in a more active way.

What can you do now?

For many institutions, this means:

  • Increasing administrative involvement
  • Preparing reporting and registration processes
  • Putting multi-factor authentication and other basic measures in place
  • The implementation mainly affects IT, CISOs and administrators, but ultimately has an impact on the entire organisation.

Want to learn more?

Would you like to know more about the Cyber Security Act and what it means for your institution?

Visit SURF's Security Expertise Centre: sec.surf.nl/cyberbeveiligingswet

Here you will find background information, explanations and practical tools.

About SURFshort

Every month we update you in 15 minutes on technological developments in education and research with a new SURFshort.

Listen to more podcasts Follow the podcast on Spotify

Related topics: