What are you looking for?

Most searched:

Most searched:

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.

Cybersecurity

Direct to

Cyberbeveiligingswet

The Cyberbeveiligingswet (Cbw) is the Dutch implementation of the European NIS2 Directive, designed to provide better protection against cyberattacks and digital disruptions. Organisations falling within the scope of this act are required to ensure that their digital systems are properly secured. Under the Cyberbeveiligingswet, directors bear ultimate responsibility for their organisation’s cybersecurity.

Which educational institutions will be covered by the act?

The Ministry of Education, Culture and Science has designated higher education institutions that will be covered by the Act. These include universities of applied sciences and universities. Research institutes are also covered by the act. In addition, SURF has also been included

Within the SURF cooperative, we believe it is important to work together. That is why the basic principle is that members who have not been designated can continue to use the services of SURF and SURFcert and, where possible, also benefit from the measures we take.

When does the law come into force?

The Cyberbeveiligingswet (Cbw) is expected to come into force in the second quarter of 2026. From that point onwards, designated organisations must comply with the reporting and registration requirements and will have three years to meet the duty of care.

Obligations under the Cyberbeveiligingswet

The law contains a number of obligations designed to help organisations strengthen their security and manage incidents more effectively.

Care obligation

  • Organisations must take appropriate technical and organisational measures to mitigate risks. Under the Cyberbeveiligingswet, directors bear ultimate responsibility for their organisation’s cybersecurity. They must actively manage risks, policy and compliance, and possess sufficient knowledge, including through training. In the event of negligence, the regulator may hold them to account.

Reporting obligation

  • Organisations must report serious incidents in a timely manner. This allows damage to be limited and other parties to be warned. Incidents must be reported to the sectoral CSIRT (Computer Security Incident Response Team). For education and research, this is expected to be SURFcert.

Registration obligation

  • Essential and important organisations must register with the regulator. For education and research, this is the Education Inspectorate.

Read more about the Cbw 

On the website of the SURF Security Expertise Centre you will find an FAQ, in-depth articles on the obligations and practical guidance to help your organisation prepare for the Cyberbeveiligingswet. 

To the SURF Security Expertise Centre in Dutch