What 2026’s New Cyber Laws Mean for Businesses — Are You Prepared?
Intro
In 2026, new European and Dutch cyber-regulations are coming into force — regulations that every business should know about. Whether you develop software, import smart devices, or supply services to companies operating in vital sectors such as energy, healthcare or finance — you may be directly affected. At RPS Group, we see this as a wake-up call: digital security is no longer optional, but mandatory.
What’s Changing: Two Major Laws
Cyber Resilience Act (CRA)
This European law will apply to all digital products — think software, smart devices, apps.
As of 11 September 2026, companies must report serious security vulnerabilities or misuse.
By 11 December 2027, these products must meet stricter security standards — often referred to as “security by design” (for example: secure development, patching, updates, safe defaults).
In short: if you produce, import or distribute digital products — these obligations will apply, including ensuring compliance (and often CE-marking) to guarantee your products meet the required cybersecurity standards.
Cyberbeveiligingswet (Cbw) — the Dutch implementation of NIS‑2 Directive
This is the Dutch version of the EU’s NIS-2: it places stricter obligations on companies operating in “vital sectors” (like energy, hospitals, banks) but also on their suppliers.
If you supply services or products to a vital sector organisation, you may need to demonstrate that your digital infrastructure is secure.
The law is expected to come into effect in spring 2026 (though timing may still shift).
Compliance means: risk assessments, reporting obligations, measures to secure systems (e.g. backups, two-factor authentication, secure supply-chain), possibly registration depending on your role.
Why This Matters — Even If You’re “Just a Supplier” or Small Business
The laws aren’t limited to “tech companies.” If you supply digital products or services — even as an importer, reseller, or support provider — you could be affected.
Non-compliance may mean you cannot legally sell or supply certain products — or that you expose yourself (or your clients) to liability.
For small businesses: even if CRA or Cbw don’t apply directly, these laws raise the bar: clients may increasingly demand proof of security practices, supply-chain transparency, and compliance documentation.
Given the rising level of cyber threats (ransomware, data breaches, supply-chain attacks), being proactive isn’t just about compliance — it’s about resilience and future-proofing. As highlighted by the National Cyber Security Centre (NCSC), organisations need to start preparing now.
What You Should Do Right Now
Map your digital footprint — Are you producing, importing, distributing digital products? Or are you supplying services to a critical-sector client?
Read up on the CRA and Cbw requirements. For CRA: consider design, update cycles, vulnerability reporting, documentation. For Cbw: conduct a risk assessment, evaluate infrastructure and supply-chain, plan incident-response procedures.
Start implementing basic cybersecurity hygiene — strong passwords, two-factor authentication, regular updates/patches, backups, and secure processes. Even if legislation doesn’t apply, good security is beneficial.
If applicable: register with relevant authorities (if you are a “Cbw-company” under the law) or prepare to show proof of compliance to clients.
What RPS Group Recommends (and Can Help With)
At RPS Group — with our legal and regulatory expertise — we strongly recommend companies treat 2026 as a “digital compliance milestone.” Whether you develop software, import IoT devices, or supply services to vital sectors: being compliant is as important as having a strong legal contract or financial audit.
We can help by:
Advising on whether your business is subject to CRA or Cbw.
Guiding you through compliance requirements (documentation, reporting, security protocols).
Helping set up company-wide policies (cybersecurity, supplier agreements, risk assessment).
Supporting communication with clients and regulators.
Conclusion
2026 is not just another year — it’s a turning point in how European businesses must think about digital security. The new laws won’t just affect large tech firms: they extend to suppliers, distributors, resellers, and service providers. For many, the changes will require real effort — but also offer a chance to build trust, resilience and competitive advantage. At RPS Group, we believe in helping businesses not just survive regulation, but turn it into an opportunity.