On April 15, 2026, the Dutch House of Representatives (Tweede Kamer) approved the bills for the Cyberbeveiligingswet (Cbw) and the Wet weerbaarheid kritieke entiteiten (Wwke) (Rijksoverheid, April 15, 2026). For companies that rely on ERP across finance, procurement, supply chain, and HR, this is a direct operational shift: cybersecurity moves beyond IT controls and becomes a business governance and continuity issue.
Context
The Cyberbeveiligingswet is the Dutch transposition of NIS2 (Rijksoverheid, Eerste Kamer). NIS2 itself entered into force on January 16, 2023, with an EU transposition deadline of October 17, 2024 (Eerste Kamer).
For leadership teams, the critical point is not only the lower-house vote. The Dutch government has stated that the bills still need Eerste Kamer approval, while keeping an implementation target in Q2 2026 with secondary legislation (Rijksoverheid).
Business impact for ERP-driven companies
1. ERP becomes a regulated cybersecurity asset, not just a back-office platform
The official communication highlights three core obligations for in-scope organizations: zorgplicht (duty of care), meldplicht (incident notification duty), and registratieplicht (registration duty) (Rijksoverheid).
In ERP terms, this means formal minimum controls for privileged accounts, API interfaces, third-party access, and end-to-end incident traceability. If a company cannot quickly reconstruct what happened in its ERP landscape during an incident, it remains exposed even with strong perimeter tooling.
2. CFO accountability increases alongside CIO accountability
Under NIS2/Cbw, cyber compliance is no longer confined to the CISO function. Budget decisions on patching, technical debt, network segmentation, and ERP modernization are now enterprise risk decisions with financial and legal implications.
For Dutch SMEs, the priority is not adding one more security product. The priority is securing ERP-dependent critical processes first: invoicing, supplier payments, financial close, and operational planning. A disruption on these flows creates immediate financial and contractual risk.
3. Multi-country groups need harmonized governance, not only harmonized tooling
European groups with Dutch entities will need to align local Cbw controls with group-wide cyber frameworks in other jurisdictions. This is often where cross-border ERP programs underperform: architecture gets standardized, but local accountability remains unclear.
The April 15 vote forces a clear governance choice. Either the group embeds Cbw/NIS2 requirements into its global ERP control model, or it keeps costly local exceptions that are difficult to govern over time.
What to monitor next
The next institutional milestone is the bill trajectory in the Eerste Kamer, which will determine the final adoption and entry-into-force timeline (Rijksoverheid, Eerste Kamer).
At the same time, organizations are not expected to wait for final publication. The government’s guidance is to start operational readiness now (Rijksoverheid). In practice, that means running an ERP-cyber baseline assessment on a limited but critical scope first, such as finance plus procurement, then extending across other domains.
For deeper context, read our ERP cybersecurity implementation guide, our DORA and ERP resilience analysis, and our PEPPOL e-invoicing interoperability guide.
