On 15 April 2026, the Dutch House of Representatives adopted the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten, moving NIS2 closer to national effect. DORA has applied in the financial sector since 17 January 2025, and attackers are exploiting software flaws within hours or minutes. With AI and digital operations embedded in daily work, cybersecurity has become a board-level control file across sectors.
Why this matters
Pressure now lands on owners and boards, not just IT. Larger customers, banks, insurers, and tenders increasingly ask for proof of controls. CBS shows a maturity gap: in 2025, 86% of large firms had 10+ of 12 measures in place, versus 13% among firms with 2–10 employees. Incidents do not stop at the legal border—payment fraud, supplier outages, and data exposures hit cash flow and contracts. Insurance helps only with evidence of prevention and a handled response. Many small firms will not hire a full-time CISO; the practical decision is who owns digital risk before pressure arrives.
Example
A founder checks email and sees three items at once: a supplier asks to change bank details, an AI draft is ready for a tender, and an urgent software patch is waiting. The right response depends on governance: who can approve bank detail changes, who reviews AI output before it reaches a customer, who can apply the patch, and where the logs and decisions are kept if something goes wrong.
XTROVERSO tips
- Name the owner Assign a single person who can reach the board and stop unsafe shortcuts. Do not start with job titles—start with authority.
- Map critical systems List what would stop the business within a day: banking, accounting, email, cloud files, planning, payroll, website, portals, production.
- Know your suppliers Create a register for ICT and data services: provider, contract owner, renewal date, data held, support route, and fallback.
- Tighten access Review former staff, freelancers, shared and admin accounts, supplier access, MFA, and bank authorisations.
- Control payments Do not approve bank-account changes by email alone. Require an independent check via known channels.
- Prepare incident roles Write who calls IT, who freezes payments, who informs customers, who checks legal reporting, and who keeps evidence.
Want a practical owner, checklist, and monthly rhythm tailored to your company? We can help
The data, sourcing, and analysis behind this article were conducted by Paolo Maria Pavan. AI was not used to identify sources, build the factual basis, or produce the analytical judgment contained here. AI was used only as a drafting aid. The final English text was personally reviewed, edited, and approved by Paolo Maria Pavan before publication.
References
- Chief Information Security Officer wordt steeds belangrijker binnen bestuur
- Overheid.nl Wetgevingskalender - Cyberbeveiligingswet and NIS2 legislative status
- Rijksoverheid - Rijksoverheid warning not to wait for Cyberbeveiligingswet
- Ondernemersplein, Overheid.nl - NIS2 reach into sectors, suppliers, and smaller firms
- CBS - Company cybersecurity incidents and control maturity
- CBS - AI and digital work are now normal business infrastructure
- DNB - Cyber and AI as financial-stability and third-party risk
- DNB - DORA as a practical model for ICT risk governance


