Knowledge base

October 01, 2025

Cyber resilience and Wwke 2026 – What your organization needs to know

 

Introduction: new legislation, new responsibilities

Starting in 2026, the digital and physical security obligation for organizations in the Netherlands will change dramatically. Two new laws – the Cyber Security Act (Cbw) and the Critical Entity Resilience Act (Wwke) – ensure that vital organizations comply with European directives NIS2 and CER. For healthcare institutions, energy companies, transport organizations, governments and data centers, this means mandatory investments in resilience, governance and reporting structures.

Why these laws call for action now

European Directives
The laws implement the European Union’s NIS2 and CER directives to strengthen Europe’s resilience.

Increased threats
Cyber attacks and other disruptions are putting increasing pressure on digital and physical infrastructure, underscoring the need for action.

Obligations
The new legislation brings with it obligations, such as a duty of care, duty of notification and duty of registration, for which preparations are essential.

 

What is the Cybersecurity Act (Cbw)?

The Cbw is based on the NIS2 Directive and replaces the current Wbni. The law applies to “essential” and “significant entities” within sectors such as:

  • Digital infrastructure (cloud providers, data centers)
  • Energy, transportation, telecom, healthcare
  • Financial, government, food, space

Specifically, what does this mean?

  • Mandatory risk analysis and measures
  • Demonstrable board involvement (board liability)
  • Duty to report cyber incidents within strict deadlines

Note that micro and small businesses can also be designated if they play a crucial role within the chain.

 

What is the Critical Entity Resilience Act (Wwke)?

The Wwke is based on the CER Directive and focuses on physical continuity. Think sabotage prevention, access control and crisis structures. Organizations are explicitly designated as a “critical entity” between the end of 2025 and July 17, 2026.

Obligations after designation:

  • Within 9 months: risk assessment + measures
  • After 10 months: duty of notification and duty of care
  • Periodic audits + penalty options for supervisors

“Think of a hospital: digital and physical security must be demonstrably in order. From access control to reporting procedures within 24 hours.”

 

What you can do (and when)

Prepare now
The central government is urging organizations not to wait because risks are current now.

Risk Analysis
Identify the risks that may threaten the continuity of your organization.

Security measures
Implement technical and organizational measures to manage these risks, such as network security and backups.

Incident detection and handling
Establish processes for identifying, recording and handling security incidents, including a reporting requirement to the NCSC or a CSIRT.

Continuous improvement
Establish a process of continuous improvement in digital resilience, such as through periodic audits.

Continuity Plan
Make sure your organization has a plan for restoring services after an incident to ensure continuity.

Important dates

  • Effective date: The laws are expected to take effect in the second quarter of 2026.
  • Applicability: Obligations apply from entry into force, so preparations now are crucial.

 

Mandatory deadlines and fines: be prepared

Both laws have hard deadlines. For the Cbw, compliance is as of Q2 2026. For the Wwke, critical entities must be designated by July 17, 2026, with a risk analysis completed within 9 months and a formal reporting and duty-of-care process within 10 months thereafter. Failure to comply could result in:

  • Substantial fines
  • Suspension of directors
  • Image damage and loss of service

So the laws require not only technical upgrades, but more importantly governance, procedures and behavioral change within the organization.

 

How is your organization preparing?

Step 1: Perform risk analysis
Map vulnerabilities, both digital and physical. Consider scenarios, chain dependencies, and impact on primary processes.

Step 2: Integrate security measures
Use robust solutions: from network segmentation to access management and awareness training. ALTA-ICT helps with selection and implementation.

Step 3: Establish Governance & Reporting Structure
Establish who is responsible for which threat. Adequately set up reporting procedures and internal reporting.

Step 4: Educate and train board and staff
The law requires knowledge at the board level. Training and simulations are essential for compliance and resilience.

Step 5: Documentation and compliance check
Oversight requires evidence. ALTA-ICT supports with audit preparation and compliance assessments.

 

Why choose ALTA-ICT?

At ALTA-ICT, we combine:

  • ISO27001 / NEN7510 certification for information security
  • Experience with vital sectors such as healthcare, energy and government
  • Local knowledge of Dutch legislation and regulators
  • Pragmatic approach focused on implementation and continuity

“We make sure your organization is not only compliant, but also resilient.”

 

Conclusion: don’t wait until 2026

The Cbw and Wwke are not just paper obligations, but legal frameworks that require organizations to work structurally with their security. With an integral approach, companies can comply and secure their services.

Schedule a free consultation with our experts today at
alta-ict.co.uk/free-consultation

 

Reference

¹https://www.datavoorgezondheid.nl/actueel/nieuws/2025/06/16/wetsvoorstellen-cyberbeveiligingswet-en-wet-weerbaarheid-kritieke-entiteiten-naar-de-tweede-kamer

Want to know more?

Get in touch
De afbeelding toont een golvende EU-vlag op paarse achtergrond met ALTA-ICT logo en tekst “Weerbaar in 2026”.