By 2026, Dutch organizations must comply with the Cyberbeveiligingswet (Cbw) and Cyberbeveiligingsbesluit (Cbb) — the national implementation of the EU’s NIS2 directive. While the exact enforcement date is still pending, the impact on organizations will be substantial. At the same time, sector-specific requirements such as BIO2 (for the public sector) and DORA (for financial institutions) are being introduced or have already come into effect.
Each of these frameworks imposes different requirements and levels of detail. As a result, compliance with one does not guarantee compliance with others, nor does it automatically ensure adequate cybersecurity resilience.
To support organizations, auditors, and regulators in navigating this increasingly complex regulatory landscape, the Central Government Audit Service (ADR), in collaboration with NOREA and commissioned by the Ministry of the Interior and Kingdom Relations (BZK), is developing the Cbw Evaluation Tool. This practical tool leverages a maturity model to help organizations assess and improve their cybersecurity resilience across Cbw, Cbb, and relevant sectoral standards.
In this session, we will launch the control framework and evaluation tool and demonstrate how it can assist organizations in understanding and preparing for the Cbw and Cbb requirements, moving beyond compliance toward real resilience.
