Ready for the Dutch Cybersecurity Act — July 1, 2026

Zero-trust access. Made in Europe. No VPN. No open ports. No CLOUD Act.

Securvise gives your team secure access to internal applications — based on verified identity, not network position. Built in Amsterdam, hosted entirely in the EU.

Request a Demo See how it works

Demo within 24 hours Live in weeks, not months 100% EU data residency

Legislation

Dutch Cybersecurity Act expected to take effect July 1, 2026

Supervision

Strengthened NCSC as the central competent authority

Liability

Directors personally liable for negligence

Why now

A VPN is no longer a defense — it is an attack surface.

In 2024, Ivanti, Fortinet and Palo Alto VPN appliances were actively exploited. An open port is an invitation. NIS2 expects you to close it.

Traditional: VPN + firewall

Inbound ports visible to the entire internet
One compromise = lateral movement across the network
Hardening and patching loop with every new CVE
Logging fragmented across firewall, AD and VPN appliance

With Securvise: identity mesh

No inbound ports — services are dark to the internet
mTLS per session, authorization before connectivity
Per-identity access — no flat networks
A single audit log: who, where, when, which service

NIS2 Article 21 — made concrete

From legal text to evidence for the auditor.

The Dutch Cybersecurity Act (Cbw) translates NIS2 into ten risk-management measures. For five of those ten, Securvise is the evidence — not just a tool.

a Risk analysis and security policy

Traditional approach: Documents in a wiki; annual review
With Securvise: Plugs into your existing ISMS — we provide the access layer
Evidence for the auditor: Architecture document and integration overview

b Incident handling

Product-strong

Traditional approach: SIEM correlation after the fact; manual analysis
With Securvise: Per-session logs, real-time policy enforcement, instant revocation
Evidence for the auditor: Full audit trail per identity; SIEM integration

c Business continuity and crisis management

Traditional approach: Backups and runbooks
With Securvise: Mesh failover and multi-region edge routers — no single point of failure
Evidence for the auditor: Failover report and uptime SLA

d Supply-chain security

Product-strong

Traditional approach: Supplier questionnaires and annual audits
With Securvise: Per-supplier identity with time-bound access; no permanent VPN accounts
Evidence for the auditor: Supplier roster, access logs, automatic revocation

e Security in acquisition, development and maintenance

Traditional approach: Secure-coding guidelines; pentest per release
With Securvise: Our SDLC plus the independently audited OpenZiti foundation
Evidence for the auditor: SBOM, CVE reporting, third-party audits

f Assessing the effectiveness of measures

Traditional approach: KPI spreadsheets and review meetings
With Securvise: Continuous metrics: attempts vs. granted, policy hits, anomalies
Evidence for the auditor: Dashboard export and reporting API

g Cyber hygiene and training

Traditional approach: Annual e-learning
With Securvise: Delivered through our consultancy — not the platform
Evidence for the auditor: Training materials and attendee log

h Cryptography and encryption

Product-strong

Traditional approach: TLS at the edge; key management per application
With Securvise: mTLS per session, end-to-end encryption, short certificate lifetimes
Evidence for the auditor: Cipher suites, key-rotation policy, FIPS-aligned primitives

i Access control, HR security and asset management

Product-strong

Traditional approach: AD groups, firewall rules, VLAN segmentation
With Securvise: Identity-based, per-application authorization; zero trust in network position
Evidence for the auditor: Access matrix per identity, joiner/mover/leaver report

j MFA and secure communications

Product-strong

Traditional approach: MFA at login; VPN for remote access
With Securvise: Continuous verification via certificates; MFA enforced at the IdP
Evidence for the auditor: Authentication logs, per-identity policy, IdP integration

Article 21(2)	Traditional approach	With Securvise	Evidence for the auditor
a Risk analysis and security policy	Documents in a wiki; annual review	Plugs into your existing ISMS — we provide the access layer	Architecture document and integration overview
b Incident handling Product-strong	SIEM correlation after the fact; manual analysis	Per-session logs, real-time policy enforcement, instant revocation	Full audit trail per identity; SIEM integration
c Business continuity and crisis management	Backups and runbooks	Mesh failover and multi-region edge routers — no single point of failure	Failover report and uptime SLA
d Supply-chain security Product-strong	Supplier questionnaires and annual audits	Per-supplier identity with time-bound access; no permanent VPN accounts	Supplier roster, access logs, automatic revocation
e Security in acquisition, development and maintenance	Secure-coding guidelines; pentest per release	Our SDLC plus the independently audited OpenZiti foundation	SBOM, CVE reporting, third-party audits
f Assessing the effectiveness of measures	KPI spreadsheets and review meetings	Continuous metrics: attempts vs. granted, policy hits, anomalies	Dashboard export and reporting API
g Cyber hygiene and training	Annual e-learning	Delivered through our consultancy — not the platform	Training materials and attendee log
h Cryptography and encryption Product-strong	TLS at the edge; key management per application	mTLS per session, end-to-end encryption, short certificate lifetimes	Cipher suites, key-rotation policy, FIPS-aligned primitives
i Access control, HR security and asset management Product-strong	AD groups, firewall rules, VLAN segmentation	Identity-based, per-application authorization; zero trust in network position	Access matrix per identity, joiner/mover/leaver report
j MFA and secure communications Product-strong	MFA at login; VPN for remote access	Continuous verification via certificates; MFA enforced at the IdP	Authentication logs, per-identity policy, IdP integration

Sources: Directive (EU) 2022/2555 — Article 21(2). NCSC.nl and Rijksoverheid.nl for the Dutch implementation. Cbw status: passed by the House of Representatives on April 15, 2026; awaiting Senate approval.

How it works

Four foundations NIS2 auditors recognize.

Zero inbound ports

Services accept no connections from the public internet. Nothing to scan, nothing to exploit.

mTLS per session

Every connection gets a unique certificate. No reusable credentials, no session hijacking.

Identity over IP

Access is tied to a verified identity, not to a network position. Per-app segmentation without VLAN projects.

Mesh failover

Multiple edge routers per region. A single outage disrupts no session. Fully active-active.

EU sovereignty

Dutch company. EU infrastructure. No CLOUD Act.

For essential and important entities under NIS2, supplier sovereignty is not a marketing promise — it is a supply-chain responsibility.

Based in Amsterdam (Le Mairekade 77)
KvK 42000737 — Dutch B.V.
Data centers within the EU; no US ownership
GDPR-compliant by design; DPA included as standard
Operationally aligned with the Strengthened NCSC

Services

Platform plus the people who implement it.

Alongside the Securvise platform, we deliver the consultancy that turns it into compliance.

NIS2 maturity scan

A focused assessment against Article 21 with a prioritized plan and audit-ready evidence.

Cbw implementation

Securvise rollout plus the supporting pieces: logging, incident handling, supplier agreements.

DevOps & cloud

Engineers who know your infrastructure — from CI/CD to Kubernetes — and how to keep it secure.

See all services

Timeline

Ready for the July 1 Cbw deadline?

A discovery call takes 30 minutes. We show you how Securvise delivers concrete evidence for Article 21.

Request a Demo