The deadline is approaching. In the second quarter of 2026, the Dutch government is expected to enforce the Cyberbeveiligingswet (Cbw).See more here: Cyberbeveiligingswet (NIS2-richtlijn) (Digital Overheid). This law serves as the national implementation of the European NIS2 directive.Learn more: NIS2 Directive: securing network and information systems (European Commission).

For energy suppliers, aggregators, and asset owners, this legislation changes the playing field. It is no longer enough to secure your own internal systems; the law explicitly extends your responsibility to your direct supply chain. As an “essential” or “important” entity, you become accountable for the digital resilience of the hardware and software vendors you rely on.

At Withthegrid, we understand that your priority is maximizing asset value and trading energy, not chasing compliance paperwork. However, as the provider of the Teleport Gateway and the Asset Monitoring Platform (AMP), we view security as our primary responsibility.

Here is what the Cbw means for your supply chain and how our solutions support your compliance journey.

The shift to supply chain responsibility

Under the previous NIS directive, the focus lay heavily on the primary service provider. The NIS2 directive, and by extension the Dutch Cbw, introduces a stricter “duty of care” (zorgplicht). Article 21 specifically mandates that entities manage risks regarding the security of their supply chain.

This means you must assess the cybersecurity quality of your direct suppliers. If a hacker enters your system through a third-party gateway or software integration, the liability is now on your shoulders.

The National Cyber Security Centre (NCSC)Check all information on this page: “Hoe versterk je de weerbaarheid van leveranciers?” (Nationaal Cyber Security Centum), or access PDF directly here. emphasizes that this goes beyond a simple compliance checklist. It requires a shift from passive checking to active dialogue. You need to know if your suppliers have:

• Processes for vulnerability disclosure.
• Proven incident response plans.
• Established risk management practices.

How Withthegrid meets NIS2 requirements

Because we sit at the intersection of IT systems and physical infrastructure (OT), we designed the Teleport and the AMP to adhere to strict security standards.

Withthegrid has been ISO 27001 certified since April 2020, and we successfully re-certified for ISO 27001:2022 in March 2025. This certification covers the vast majority of the requirements outlined in the Cbw. However, to help you meet your specific obligations under the Cbw, we map our internal controls directly to the directive’s requirements. Here is how we support your compliance:

1. Risk management and duty of care

• The requirement: Entities must implement appropriate technical and organizational measures to manage risk.
• Our measure: We perform continuous risk management by periodically reviewing potential threats and adjusting our controls accordingly. This includes integrating vulnerability assessments into our workflows and prioritizing the remediation of any critical findings.

2. Incident handling and reporting

• The requirement: Article 23 requires strict reporting timelines for significant incidents (an early warning within 24 hours and a detailed notification within 72 hours).
• Our measure: We continuously monitor the TeleportSee the live Teleport status page. and the AMPSee the live AMP status page. services for anomalous behavior. If we detect a security incident, our trained incident response team activates immediately to contain the situation. We have documented procedures to assess impact, prevent further damage, and inform external bodies or partners promptly. This ensures you receive the information you need to meet your own reporting deadlines.

3. Supply chain security

• The requirement: Ensuring security-related aspects of the relationships between the entity and its direct suppliers.
• Our measure: We apply the same scrutiny to our own supply chain that you apply to us. We evaluate new suppliers and regularly reassess existing ones to ensure they maintain a robust security posture.

4. Business continuity and disaster recovery

• The requirement: Organizations must ensure that their critical services can withstand disruptions.
• Our measure: Our infrastructure is cloud-based and runs in AWS Multi-Availability Zones for redundancy. Furthermore, our code is pushed to an escrow service. This ensures that, even in an extreme scenario, the software required to run your setup can be rebuilt, guaranteeing the long-term continuity of both your Asset Monitoring and Teleport control functions.

5. Access control and cryptography

• The requirement: Policies on cryptography, encryption, and access control.
• Our measure: All communications are encrypted in transit. We also enforce access control to our corporate resources based on roles (Need-to-Know principle), and Multi-Factor Authentication (MFA) is enabled by default.

A shared responsibility

The Cbw and NIS2 make it clear that cyber resilience is a chain, and a weakness in one link can affect the entire grid. That’s why we support your “duty of care” by maintaining rigorous internal standards and engaging in the transparent dialogue recommended by the NCSC.

By choosing a partner that is already aligned with ISO 27001:2022 and the upcoming Cbw standards, you can reduce the complexity of your own compliance journey. This allows you to focus on your core business: managing your critical infrastructure or your profitable energy portfolio.

→ Curious about all of our security measure? Find all information on our Security page.