From IT legislation to everyday practice in the workplace
It’s Monday morning, just past 7:30. The first employees are coming in through the side entrance. The reception desk isn’t fully staffed yet. An outside technician walks in. His pass is still in the car. “I’ll be out of here in a minute,” he says. No one says anything. Not out of rudeness, but out of habit. It is precisely these kinds of everyday situations that illustrate what the Cybersecurity Act is all about in practice.
Security has long since ceased to be solely about technology, systems, or IT measures. It also involves physical access, human behavior, and daily routines in the workplace. This is not a new insight for us. We have previously written about cybersecurity under NIS2 and why it is crucial to start implementing measures right now. That article already made it clear that digital risks often stem from physical security and human behavior. The Cybersecurity Act logically builds on this and now makes this connection explicit and legally enforceable.
Until recently, situations like these were primarily areas of concern. With the Cybersecurity Act, they have become risks that an organization must be able to explain, substantiate, and account for. On April 15, 2026, the House of Representatives approved the Cybersecurity Act. A law that many organizations still view as a purely technical IT matter. Understandable, given the name. But if you look beyond the surface, you’ll see that the impact is much broader. The Cybersecurity Act affects not only systems and networks, but also people, buildings, and physical access. For businesses, this means that security is no longer optional but must be demonstrably and appropriately implemented.
The Purpose of the Cybersecurity Act
Why “cyber” isn’t just about IT
A common misconception is that the Cybersecurity Act is solely about IT—specifically, software, networks, and monitoring. While this view is understandable, it is incomplete.
The law explicitly refers to a duty of care to protect network and information systems, including the physical environment in which these systems are located. That single sentence makes a big difference in practice.
This means that the design of buildings, the way access is granted, monitoring is conducted, and deviations are addressed are also covered by the Cybersecurity Act. No matter how well a digital system is secured, if someone can physically access it without being monitored, it remains vulnerable.
Physical security takes on legal significance
The core principle of the Cybersecurity Act is resilience. It’s not about reacting only after something goes wrong, but about identifying and managing risks in advance. This gives physical security a legal significance that it did not previously have.
Questions that have been asked in the security field for years are now taking on new significance. Who has physical access to critical systems? Is that access necessary and up to date? Is unusual behavior detected? And are there clear guidelines defining what constitutes an incident and who makes that determination?
What were previously internal considerations are now becoming formal assessment criteria. This applies not only to audits, but also to oversight and potential enforcement.
The duty of care: appropriate and justifiable
Organizations subject to the Cybersecurity Act are subject to a legal duty of care. This duty of care does not specify exactly which measures must be taken, but it does require that the measures be appropriate to the organization’s risks.
In many organizations, physical access has evolved over time. Employees who were once given a key and never returned it. Access cards that continued to work even after job changes. Areas used by multiple departments simply because it was convenient.
Under the Cybersecurity Act, an organization must be able to explain why someone has access to a particular area, who authorized that access, and how it is monitored. Not everything needs to be restricted. But everything must be justifiable.
Menselijk gedrag blijft doorslaggevend
No measure can be effective without people who understand what is expected of them. Security remains a human endeavor.
The Cybersecurity Act explicitly emphasizes the importance of training and awareness. This applies not only to security personnel, but to everyone who deals with access, visitors, or suppliers in their daily work. It is precisely in these areas that vulnerabilities often arise.
A security breach is rarely the result of poor technical practices. More often than not, it stems from routine, assumptions, or time pressure.
When a physical incident has digital consequences
Ask yourself this question: Can I verify who was in the technical areas this morning? Not who was allowed in according to the rules, but who was actually there.
Go back to the situation described at the beginning of this article. The mechanic who walks along for a moment because his pass is still in the car. No one stops him. No ill intent, no red flags. Just routine. Exactly as it happens every day in many organizations.
The moment that technician goes further than intended—for example, into a technical room containing network equipment or servers—a problem arises. Perhaps he doesn’t touch anything. Perhaps everything continues to work. But afterward, it’s impossible to determine exactly who was there, what was viewed or touched, and whether the environment is still completely reliable. The integrity of those systems is thus called into question.
That is precisely why the Cybersecurity Act looks beyond IT alone. A physical incident does not need to cause visible damage to still have an impact. The mere fact that unauthorized persons have gained access to critical systems can already affect the availability, reliability, and confidentiality of information.
The Cybersecurity Act therefore requires organizations to plan for these types of situations in advance—not only from a technical perspective, but also from an organizational and physical standpoint. Who is authorized to access which areas? Who is responsible for monitoring? And under what circumstances is an incident classified as such?
This also includes the reporting requirement. Significant incidents must be reported within 24 hours, regardless of whether the cause is digital or physical. A situation that starts with an open door or a well-intentioned misjudgment on the job can thus suddenly become a formal obligation.
Board members can no longer remain on the sidelines
The Cybersecurity Act explicitly makes security a management responsibility as well. Managers must approve security measures and possess sufficient knowledge to assess risks.
Security is thus shifting from the operational level to the boardroom. It is not just a matter of costs, but also of continuity, liability, and trust.
From law to practical application
Why a solid physical foundation makes all the difference
The Cybersecurity Act makes it clear that security does not stop at software and systems. Organizations that take their physical security seriously increase their resilience and reduce the likelihood that legal obligations will lead to problems down the road.
Physical security is all about presence, vigilance, and response. It relies on people who notice what’s happening and know when to take action. This isn’t a new concept, but this law does give it a different significance.
This article provides a general overview of the Cybersecurity Act as adopted by the House of Representatives on April 15, 2026. For specific legal guidance, we always recommend consulting the official guidelines issued by the national government.
Would you like to know if your physical security measures meet the requirements of the Cybersecurity Act for your organization?
If so, a no-nonsense, practical assessment is a logical first step.
