What 2026’s New Cyber Laws Mean for Businesses — Are You Prepared?

Intro

In 2026, new European and Dutch cyber-regulations are coming into force — regulations that every business should know about. Whether you develop software, import smart devices, or supply services to companies operating in vital sectors such as energy, healthcare or finance — you may be directly affected. At RPS Group, we see this as a wake-up call: digital security is no longer optional, but mandatory.

What’s Changing: Two Major Laws

Cyber Resilience Act (CRA)

• This European law will apply to all digital products — think software, smart devices, apps.

• As of 11 September 2026, companies must report serious security vulnerabilities or misuse.

• By 11 December 2027, these products must meet stricter security standards — often referred to as “security by design” (for example: secure development, patching, updates, safe defaults).

• In short: if you produce, import or distribute digital products — these obligations will apply, including ensuring compliance (and often CE-marking) to guarantee your products meet the required cybersecurity standards.

Cyberbeveiligingswet (Cbw) — the Dutch implementation of NIS‑2 Directive

• This is the Dutch version of the EU’s NIS-2: it places stricter obligations on companies operating in “vital sectors” (like energy, hospitals, banks) but also on their suppliers.

• If you supply services or products to a vital sector organisation, you may need to demonstrate that your digital infrastructure is secure.

• The law is expected to come into effect in spring 2026 (though timing may still shift).

• Compliance means: risk assessments, reporting obligations, measures to secure systems (e.g. backups, two-factor authentication, secure supply-chain), possibly registration depending on your role.

Why This Matters — Even If You’re “Just a Supplier” or Small Business

• The laws aren’t limited to “tech companies.” If you supply digital products or services — even as an importer, reseller, or support provider — you could be affected.

• Non-compliance may mean you cannot legally sell or supply certain products — or that you expose yourself (or your clients) to liability.

• For small businesses: even if CRA or Cbw don’t apply directly, these laws raise the bar: clients may increasingly demand proof of security practices, supply-chain transparency, and compliance documentation.

• Given the rising level of cyber threats (ransomware, data breaches, supply-chain attacks), being proactive isn’t just about compliance — it’s about resilience and future-proofing. As highlighted by the National Cyber Security Centre (NCSC), organisations need to start preparing now.

What You Should Do Right Now

1. Map your digital footprint — Are you producing, importing, distributing digital products? Or are you supplying services to a critical-sector client?

2. Read up on the CRA and Cbw requirements. For CRA: consider design, update cycles, vulnerability reporting, documentation. For Cbw: conduct a risk assessment, evaluate infrastructure and supply-chain, plan incident-response procedures.

3. Start implementing basic cybersecurity hygiene — strong passwords, two-factor authentication, regular updates/patches, backups, and secure processes. Even if legislation doesn’t apply, good security is beneficial.

4. If applicable: register with relevant authorities (if you are a “Cbw-company” under the law) or prepare to show proof of compliance to clients.

What RPS Group Recommends (and Can Help With)

At RPS Group — with our legal and regulatory expertise — we strongly recommend companies treat 2026 as a “digital compliance milestone.” Whether you develop software, import IoT devices, or supply services to vital sectors: being compliant is as important as having a strong legal contract or financial audit.

We can help by:

• Advising on whether your business is subject to CRA or Cbw.

• Guiding you through compliance requirements (documentation, reporting, security protocols).

• Helping set up company-wide policies (cybersecurity, supplier agreements, risk assessment).

• Supporting communication with clients and regulators.

Conclusion

2026 is not just another year — it’s a turning point in how European businesses must think about digital security. The new laws won’t just affect large tech firms: they extend to suppliers, distributors, resellers, and service providers. For many, the changes will require real effort — but also offer a chance to build trust, resilience and competitive advantage. At RPS Group, we believe in helping businesses not just survive regulation, but turn it into an opportunity.