The 24-Hour Rule: Navigating the AVG and NIS2 Overlap
The biggest myth in Dutch cybersecurity is that you have three days to catch your breath after a breach. While the AVG (GDPR) gives you a 72-hour window, the new Cyberbeveiligingswet (CbW) has effectively deleted that luxury for thousands of Dutch companies.
If a "significant incident" hits your organization in 2026, you now have exactly 24 hours to notify the authorities. At Forculus, we call this the "Golden Day": the window where your response defines whether you are seen as a victim or a negligent party.
Why the "Dual-Report" is the New Normal
In the past, you reported to the Autoriteit Persoonsgegevens (AP) if you lost a laptop or a database. Today, a single ransomware attack often triggers two separate legal alarms:
AVG Alarm: Because personal data is at risk.
CbW/NIS2 Alarm: Because your digital services or infrastructure are disrupted.
The Three-Phase NIS2 Clock
Unlike the AVG’s one-and-done 72-hour notification, the CbW requires a phased "triple-step" approach to keep the NCSC informed as the crisis evolves:
T+24 Hours (The Early Warning): A high-level alert. You don't need the full root cause yet. You simply confirm the incident is "significant" and whether cross-border impact is likely.
T+72 Hours (The Detailed Update): Now you provide more technical meat. What systems are down? What is the severity?
T+30 Days (The Final Closure): A comprehensive report detailing the "how" and the "what next" to prevent a repeat performance.
One Incident, One Truth
The biggest risk in a dual-reporting scenario isn't just the deadline, it's inconsistency.
Forculus Pro-Tip: Create a "Single Source of Truth" incident log. Your Legal team (focused on the AP) and your IT/Security team (focused on the NCSC) must be looking at the same data in real-time. If you tell the AP the data is "securely encrypted" while telling the NCSC you have "total system compromise," you are inviting a regulatory audit.
Avoid the "Silo Trap": The AP wants to know: How does this harm our customers' privacy? The NCSC/RDI wants to know: How does this harm our business continuity or the Dutch economy?
Practical Steps for Your Incident Response Plan (IRP)
To survive the first 24 hours, your IRP needs to be more than a dusty PDF. It needs to be a battle-tested protocol:
Establish a "Lead Reporter": Appoint one person to coordinate both notifications so the story remains consistent.
Draft Templates Now: Don't write your 24-hour alert during the panic of an actual breach. Have templates approved by Legal today.
Define "Significant": Work with Forculus to set the specific thresholds for your business. Does a 4-hour outage count as "significant"? You need to know before the clock starts.
In 2026, the Dutch regulators aren't looking for perfection; they are looking for transparency and speed. Companies that report early and honestly often face far less scrutiny than those that wait 72 hours to "get all the facts." By aligning your reporting tracks now, you move from reactive chaos to proactive resilience.
