Internet Consultation Implementation Act Regulation Cyber Resilience Has Started

On March 7, 2025, the internet consultation for the draft implementation act Regulation on Cyber Resilience started. This bill regulates the implementation of the Regulation on Cyber Resilience, which came into effect on December 10, 2024, in the Netherlands. The consultation period runs until April 6, 2025.

Consumers, businesses, and other organizations in the EU must be able to trust that the digital products they use are safe. This is also important for the digital resilience of Europe. The European Regulation on Cyber Resilience (or Cyber Resilience Act, hereinafter: CRA) therefore introduces cybersecurity requirements for all products with digital elements. This includes hardware, software, and standalone components that will be offered on the market in the European Union from December 11, 2027. From September 11, 2026, manufacturers of these products will be required to report actively exploited vulnerabilities and serious incidents. The regulation has direct effect and will not be transposed into national legislation. However, an implementation law must determine who is designated for the implementation, supervision, and enforcement of the CRA in the Netherlands, and the accompanying penalty powers and legal protection must be arranged.

You can respond to the draft bill in which these matters are regulated:

• The law designates the Minister of Economic Affairs, in practice the National Inspectorate for Digital Infrastructure (RDI), as the authority responsible for the procedure to assess, register, and monitor conformity assessment bodies. The draft bill specifies that the assessment and monitoring of these bodies must take place through accreditation.
• In addition, supervision and enforcement are allocated in the proposal to the Minister of Economic Affairs (RDI), as the national market oversight authority, which will be granted the authority to impose administrative fines in accordance with the maximum amount prescribed in the regulation in case of violations.
• A legal procedure for the decisions of the market supervisor will also be established.
• Finally, the National Cyber Security Center (NCSC) is designated in the draft proposal as the Computer security incident response team (CSIRT) responsible for the establishment and implementation of the reporting desk for the reporting obligation regarding actively exploited vulnerabilities and serious incidents.

From March 7 to April 4, 2025, everyone can respond to the draft implementation act Regulation on Cyber Resilience. The purpose of the consultation is to involve stakeholders in the creation of this implementation law. After the consultation period, all responses will be reviewed and incorporated into the implementation law where necessary.

Visit overheid.nl to view the draft implementation act to participate in the consultation.

The Ministry of Economic Affairs is organizing an online information session via Teams on Tuesday, March 2, 2025, from 15:00 to 16:30 about the draft implementation act and the CRA. You can register and submit any questions in advance by sending an email.