Europe sets a high bar (and the Netherlands is falling behind)
It was recently announced that the European Commission has referred the Netherlands, along with six other Member States, to the Court of Justice fort he late transposition of the Critical Entities Resilience Directive (CER) into national law. The CER and its digital counterpart, the NIS2 Directive, are European Directives and do not apply directly: each Member State must transpose them into domestic legislation. In the Netherlands, this is being done through two laws: the Wet weerbaarheid kritieke entiteiten (Wwke) implementing the CER, and the Cyberbeveiligingswet (Cbw) implementing NIS2. Both laws are expected into force simultaneously in the second quarter of 2026.
Although organisations must be formally designated by the relevant minister and the legislation is delayed, they cannot afford to sit back. The threats covered by the CER (such as sabotage, physical disruptions, natural disasters, and hybrid threats) do not wait for legislators.
CER & Wwke: More than just ‘physical security’
The CER and the Wwke require organisations in critical sectors to strengthen their physical resilience. The aim is to ensure that essential services (such as the supply of drinking water, energy, transport, and banking) continue to function, even in the face of physical threats like natural disasters, terrorism, sabotage, or technical failures.
Obligations:
The obligations are structured almost identically to those in NIS2 (a duty of care and a reporting obligation). The key difference lies in the type of threat: whereas the Cbw focuses on ‘bits and bytes’, the Wwke focuses on ‘bricks and people’. The Wwke rests on three central pillars that push organisations from a reactive to proactive stance:
1. Identification & Risk management (the analytical pillar)
-
In addion to Member States themselves, organisations must carry out a comprehensive risk assessment periodically. It is important to look beyond IT or theft. You also analyse the impact of natural disasters (flooding, extreme heat), terrorism, sabotage, and even hybrid threats. The goal is to know precisly where the physical vulnerabilities of your critical processes lie.
2. Resilience measure (the operational pillar)
-
Organisations must take appropriate and proportionate technical and organisational measures. This is the translation of your risk assessment into practice. Examples include physically securing critical locations and infrastructure, protocols for crisismanagement and recovery operations following an incident, and screening personnel in sensitive positions to minimise insider threats.
3. Incidentmanagement & Reporting (the response pillar)
-
There is a strict obligation to report significant incidents to the supervisory authority and the CSIRT. This means that any event that seriously disrupts, or threatens to disrupt, the delivery of an essential service must be reported immediately. This enables the government to maintain overarching oversight and, where necessary, provide cross-sector assistance or coordination.
The Synergy: why CER cannot exist without NIS2
The CER and NIS2 are two sides of the same coin. Where NIS2 guards the digital back door, the CER focuses on the physical front door and everything else that could disrupt the continuity of an essential service. If you are designated as a critical entity under the Wwke, you must also comply with the Cbw. An organisation only becomes truly resilient when it taken an integrated approach to implementing both acts. This requires close collaboration between the CISO and the person responsible for physical security.
For organisations already working on the Cbw (NIS2), the Wwke offers opportunities to streamline processes such as incident reporting and riskmanagement under a single governance structure. After all, both acts require a risk-baed approach, wo why implementing something seperate for each when you can do it together? This delivers an efficiency advantage.
Why act now?
The EU’s legal action proves that pressure to strengthen critical sectors is mounting. Once the Wwke is finalised, the implementation window will be short. Although organisations must be formally designated by the minister as critical entities, some organisations (such as waterschappen) can reasonably assume that this will happen. Start now with a gap analysis to identify where your organisation currently falls short of the (draft) Wwke. Also map out the interdependencies between sectors (for example, energy and telecoms), as this is essential for conducting a sound risk assessment.
Conclusion: from compliance to competitive advantage
The European Commission’s recent decision to take the Netherlands to court underscores that the era of optionality is definitively over. Although the political delay of the Wwke is causing confusion, we must not lose sight of the underlying reality: our critical infrastructure is more vulnerable than ever to physical threeats and sabotage.
It is tempting to view the Wwke as yet another administrative burden, but market leaders see a different perspective. Precisely in a world where supply chain dependency is enormous, resilience becomes a strategic asset. Organisations that can demonstrate they have both their digital back door (Cbw/NIS2) and their physical front door (Wwke/CER) in order are the parners the market relies on.
By embracing the principles of the Wwke now, you transform compliance from an obligation into a competitive advantage. You are not just ‘ready fort he law’; you are guaranteeing the continuity of your services in an unpredictable wold. Do not wait fort he final legislative tekst: the blueprint from Brussels and the draft are already available. Those who act now are building a foundation that can withstand tomorrow’s shocks.
Need help bridging the gap?
The complexity of the Wwke, particularly in combination with ongoing Cbq projects, call fora n integrated approach. The risk of overlap or blind sports between physical and digital security is significant. Do you need suppport in conducting an integrated risk assessment or implementing the specific obligations under the Wwke? Get in touch for an exploratory conversation. Together, we will ensure that your organisation not only complies with the law but becomes truly resilient.
Sign up for our free webinar on the Cybersecurity Act
During this webinar, we will help you get started with the NIS2/Cybersecurity Act. We will briefly explain what the legislation entails, how BIO2.0 can serve as a practical framework, and what the new responsibilities mean in practice.
