Assessing Whether Your Organization Falls Under the New Regulation
The first step is a process called self-identification. For an entity to become a provider of a regulated service, it must meet the following three criteria:
- Operates in a regulated sector – for example in energy, healthcare, transport, water management, industry, or digital infrastructure
- Provides a specific regulated service listed in the decree on regulated services
- Reaches a certain size or significance – typically medium and large enterprises (50 or more employees or turnover exceeding 10 million euros)
The law does not apply to small and micro enterprises or to entities outside regulated sectors.
Registration Obligation
If an organization meets the above criteria, it will be classified into one of two regimes:
- Lower regime – includes basic security measures
- Higher regime – applies to key services and imposes stricter requirements
Organizations have 60 days from the effective date of the law (until December 31, 2025) to register their regulated services through the NUKIB Portal.
After registration, a one-year transitional period begins for implementing all required measures. Companies must fulfill their obligations by the end of 2026 at the latest.
Why It Pays to Start Now
The new Cybersecurity Act ensures that entities in economically significant sectors have a basic standard of protection in place.
Early preparation helps to:
- Meet legal requirements
- Reduce the risk of outages, data loss, or reputational damage
Organizations should therefore at a minimum:
- Evaluate the current level of security and compare it with the requirements
- Conduct an asset inventory and risk analysis
- Initiate processes for implementing the required security measures
Need help with compliance?
Cybreg helps you with the complete implementation of Cybersecurity Act requirements – from asset management to generating audit documentation.
Schedule a demo