New cyber legislation calls for attention from the energy storage sector
The Cybersecurity Act (Cbw) will take effect on August 15, 2026. As a result, many organizations in the Netherlands—including those in the energy storage sector—will face new obligations regarding cybersecurity, digital resilience, and incident reporting. The Critical Entities Resilience Act (Wwke) will also take effect on that date and may impose additional obligations on designated critical organizations.
Cybersecurity Act
The Cybersecurity Act (Cbw) implements the European NIS2 Directive in the Netherlands and replaces the current Network and Information Systems Security Act (Wbni). The law applies to organizations that provide essential or important services in sectors such as the energy sector. Whether an organization falls under the law depends, among other things, on the sector in which it operates and on size criteria such as the number of employees, annual revenue, and total assets. In principle, organizations are subject to the Act if they have at least 50 employees or generate an annual revenue of at least €10 million. Organizations in the energy (storage) sector may be classified as important or essential entities, depending on the additional size criteria.
This distinction is important for how supervision is carried out. Essential entities are subject to proactive supervision, while important entities are subject to reactive supervision. For the energy sector, the National Inspectorate for Digital Infrastructure (RDI) has been designated as the supervisory authority. In the event of violations, regulators can take various measures, such as a security scan or audit, public disclosure of a violation, or an administrative fine.
Registration, Care, and Reporting Requirements
Organizations subject to the Cybersecurity Act are subject to three core obligations. First, they must register in the entity registry through the National Cyber Security Center (NCSC). In addition, there is a duty of care: organizations must take appropriate and proportionate measures to manage cyber risks. Risk management forms the basis for this. The law lists ten duty-of-care measures that organizations must at least consider, and organizations are responsible for tailoring these measures to their specific situation.
There is also a reporting requirement for significant incidents. These must be reported to the Computer Security Incident Response Team (CSIRT) and to the competent regulatory authority. In principle, an early warning must be issued as soon as possible and no later than 24 hours after the incident is detected. For parties subject to the Cybersecurity Network Code (NCCS) for cross-border electricity flows, a shorter reporting deadline of four hours applies.
Administrative Responsibility
Administrative responsibility is also defined more explicitly. Cybersecurity is therefore not only the responsibility of the IT department or the CISO, but also explicitly that of the board of directors. Board members remain ultimately responsible for cybersecurity and must have sufficient insight into the risks, measures, and incident response processes within their organization. In addition, within two years of the law taking effect, they must complete appropriate training and approve the measures the organization is taking to comply with its duty of care.
Critical Entities Resilience Act
In addition to the Cybersecurity Act, the Critical Entities Resilience Act (Wwke) will also take effect. This law implements the European CER Directive and focuses on protecting critical infrastructure and essential economic activities against broader threats, such as terrorist crimes, sabotage, natural disasters, and other serious disruptions. An organization is only subject to this Act if it is formally designated as a critical entity by the relevant minister.
Critical entities are designated based on national and sector-specific risk assessments. Organizations will be designated no later than one month after the law takes effect. They will then have ten months to comply with the obligations set forth in the law, such as conducting their own risk assessment, taking appropriate measures, and reporting incidents that could seriously disrupt essential services. At least every four years, a reassessment will be conducted to determine whether other organizations should be designated as critical entities.
What does the legislation mean for energy storage?
Batteries, storage platforms, aggregation, control systems, and data connections are becoming increasingly important to the functioning of the energy system. As a result, the importance of robust cybersecurity, clear incident response procedures, and management attention to digital risks is also growing. Energy Storage NL therefore welcomes the introduction of clear rules to further strengthen cybersecurity in the energy sector. At the same time, this requires companies to determine in a timely manner whether they fall within the scope of the Cybersecurity Act and to ensure that their internal processes, risk analyses, and reporting procedures are in order.
Even companies that are not directly subject to the Cybersecurity Act may be indirectly affected by it. This is because one of the duty-of-care measures pertains to supply chain security. As a result, larger or designated organizations are expected to impose requirements on suppliers, service providers, and other supply chain partners. This means that smaller companies in the energy storage chain may still be included in agreements regarding cybersecurity, information security, and incident response.
Latest News
News
New cyber legislation calls for attention from the energy storage sector
July 14, 2026
News
Research Report on Energy Storage Archetypes: Without Storage of Electricity, Heat, and Molecules, There Can Be No Energy Transition
July 13, 2026
News


