On August 15, 2026, the Cybersecurity Act (Cbw) will take effect. This is the Dutch implementation of the European NIS2 Directive. The law imposes stricter requirements on the digital resilience of organizations that are critical to society, such as banks, energy companies, and hospitals.
A logical question we’ve been hearing more often lately is: Does this law also apply to SCOPE? The short answer is: no, not directly. But we’ve thoroughly looked into it—and we’re ready.
We’ve checked it out
We completed the Dutch government’s official NIS2 self-assessment as part of our ISO 27001 process. The result is clear: the Cybersecurity Act does not apply to SCOPE.
This is mainly due to our size. We’re a small company with fewer than 50 employees. As a result, we’re exempt from the law, even though our type of service (IT services) is included among the sectors listed in the law.
In practical terms, this means we don’t have to register and don’t have our own reporting obligation under the Cybersecurity Act.
But “not required” is not the same as “doing nothing.”
And here lies the most important point. Many of our clients—financial institutions—are subject to strict cybersecurity regulations: the Cybersecurity Act, or, for the financial sector, the European DORA regulation. As their software provider, we are part of their supply chain. They are therefore entitled to expect that our security measures are in order.
Even though the law doesn’t explicitly require us to do so, we take our role in that chain seriously. In fact, we’ve been doing so for quite some time.
How we demonstrate this: ISO 27001
SCOPE has been ISO 27001:2022-certified since March 2026. This is the international standard for information security, assessed by an independent third party. Our management system covers precisely the areas that the Cybersecurity Act deems important:
- risk management;
- incident handling and reporting;
- business continuity;
- security of our own supply chain.
We document this, evaluate it regularly, and are happy to share the proof—our certificate—with customers who request it, for example, for their own audits or for their regulatory authority.
In short
For SCOPE, the Cybersecurity Act doesn’t change much: we were not subject to it, and this has been confirmed following an assessment. For our clients, that’s actually good news. We are a reliable partner that has everything in order, with an independent ISO 27001 certificate to prove it.