Cybersecurity Act adopted: 1 July 2026 is confirmed

The NIS2 Cybersecurity Act was adopted by the House of Representatives on 15 April 2026. The Senate still needs to review it, but approval is highly likely. All indications point to 1 July 2026 as the definitive implementation date.

After several delays, this marks a significant milestone. The final substantive hurdle has been cleared. It is no longer a question of if the law will come into force, but when, and that moment is now very close.

Only a few months remaining

Until recently, there was still room for political amendments or delays. That window has now effectively closed. The legislative process is in its final phase and is moving steadily towards implementation.

With only limited time left until 1 July, postponing action is no longer advisable. Organisations that start too late risk unnecessary pressure, mistakes, or failing to meet requirements on time.

What does this mean for your organisation?

The impact is immediate and tangible:

Are you directly in scope of NIS2?
Then by 1 July you must demonstrably comply with requirements around risk management, incident reporting, and supply chain security.

Do you supply larger organisations?
Then you will almost certainly face stricter requirements. Large organisations are obligated to manage supplier risks and will therefore request proof of your cybersecurity measures.

Without demonstrable evidence, you risk losing customers.

NIS2 covers the entire supply chain

The Act explicitly focuses on managing risks across the full supply chain. It is not only your own organisation that matters, your suppliers and partners must also be demonstrably secure.

This makes preparation particularly important, especially for SMEs that are part of larger supply chains.

Start now, it is still achievable

Experience shows that organisations starting now can still be ready in time for 1 July. It requires effort, but with a structured approach it is entirely achievable.

It also delivers immediate benefits: