Netherlands (NL)

The third Dutch national cybersecurity strategy, Cyber Security Agenda - A Cyber Secure Netherlands, was implemented in 2018, following on from the first strategy in 2011 and the second in 2014.

The overarching objective of the new strategy is ensuring the Netherlands plays a leadership role in cyberseurity with knowledge development at the forefront.

The strategy came into force through a coalition agreement and €95 million structural funds with resources allocated for improving staff capacity and expanding IT facilities with the involvement of mutliple government departments: Justice and Security (NCTV), Defence (MIVD), Interior and Kingdom (AIVD), Foreign Affairs, Infrastructure and Environment, Economic Affairs. NCTV, the Minstery of Education, Culture and Science, and the Netherlands Organisation for Scientific Research are tasked with overseeing cybersecurity education through Dcypher (Dutch cybersecurity platform higher education and research), which is now part of the Dutch Security Cluster.

Overall, the strategy covers the following strategic goals in the ENISA classification: Cybercrime, Critical Information Infrastructure Protection, international cooperation, public-private partnership, incident response capability, baseline security requirements, training and educational programmes.

EDUCATION AND TRAINING IN NATIONAL CYBER SECURITY STRATEGY

Knowledge Development: Measures	The 2018 Cyber Security Agenda stresses the urgent need to maintain and deepen high-quality cybersecurity knowledge development of both fundamental and applied cybersecurity research as crucual for implementing measures to avoid existing and new digital threats from increased digitisation. In this respect, the Agenda calls for standards for IoT devices, software liability measures and the strengthening of the National Cyber Security Centre (English). The key target for boosting national expertise in cybersecurity spans: Ensuring autonomous knowledge and avoiding over-reliance on other countries, including the supply of technology solutions. Transforming outcomes of monodisciplinary and interdisciplinary (arts, science, humanities) research into short and long-term solutions with coverage of the entire knowledge chain. Ensuring that research is of a high standard led by Dutch universities, universities of applied sciences, the Netherlands Organisation for Scientific Research (NWO), businesses and central government. Conducting subsequent reviews of national investments to maintain talent and knowledge position, with possible multi-year investment boosts. Filling gaps in growing demand from the business community and public authorities for innovative solutions for cybersecurity issues and well-trained personnel, thereby avoiding lack of knowledge and insufficient resilience to cyber threats. Improving the knowledge of citizens and businesses so they can better protect themselves from cyber threats.
Education and Research	Higher education: NCTV, the Minstery of Education, Culture and Science, and the NWO are tasked with tracking higher education in the Netherlands, comparing degree programmes and assessing the skills of recent graduates entering the labour market. The National Cyber Security Agenda calls upon these policymakers to analyse the differences between the curricula (supply) and requirements for well-trained personnel (demand). It also highlights the need to pay greater attention to ensuring there is sufficient teaching capacity in all relevant disciplines. Schoolchildren: Digital literacy for primary and secondary education is part of the national curriculum with an educational review becoming law in 2019. However, the risks facing young children in the digital world means that the educational sector needs to continuously renew and anticipate developments in an evolving landscape. Therefore the Agenda pushes forward such revisions through cooperation between teachers, pupils, parents, educational institutions and the professional field. The Dutch Agenda for Cyber Security implements three measures with the overarching goal of ensuring that the Netherlands conducts high-quality cybersecurity research, building on its long-term knowledge development programme with the involvement of the academic community while making sure there are enough academics available to acquire an independent knowledge position in cybersecurity. A complementary goal is ensuring that citizens and businesses understand the importance of tackling cyber threats and building resilience to cybercrime. The three measures are: Structural investments in fundamental and applied research based on a multi-year public-private approach and with the aim of boosting high-quality cybersecurity knowledge development. Alongside this measure, there will be an investigation into how various initiatives, programmes and instruments on cybersecurity can be better aligned with each other. These steps will take on board the Verhoeven/Rutte motion of 2017 (Source: Hague Security Delta, 19 December 2017). Financial incentives will be the main trigger for implementing this measure. Digital skills, media literacy and cybersecurity are explicit focus areas in the integral review of the primary and secondary school education curriculum supported by the national Knowledge Net (Kennisnet) funded by the Ministery of Education, Culture and Science. The government will encourage the business and civil society organisations to further develop the digital skills of employees and citizens while ensuring continuity and cohesion between communications campaigns with a view to maximising their impacts and taking into account the latest insights into behavioural sciences. The Dutch National Cyber Security Centre has published a Research Agenda 2019-2022 with a focus on crisis management, risk management, strategic and social aspects of cybersecurity and new technologies with the aim of implementing related measures in the national cybersecurity strategy. NCSRA-II implements the objective on ensuring there is sufficient cybersecurity knowledge and expertise alongside a boost to investments in IT innovations. NCSRA-III (2018) is focused on the research callenges in cybersecurity and privacy based on five pillars: Design, Defence, Attacks, Governance and Privacy.
Higher Education Courses on Cybersecurity	University of Amsterdam – Master Degree in Security and Network Engineering. Year established: 2003. European Credit Transfer System (ECTS): 50. Focus: System security, network security, component security, SW security. University of Twente and TU Delft - 4TU Cybersecurity Master Specialization. Year established: 2015. Student Intake: 55. European Credit Transfer System (ECTS): 120. Focus: System security, network security, component security, SW security. Eindhoven University of Technology – Master Degree in Secure Development. Year established: 2015. Student Intake: 50. European Credit Transfer System (ECTS): 120. Leiden University - Master in Cybersecurity Governance Master in Crisis and Security Management Leiden University - Cyber Security Academy NCSC: Cooperation with Leiden University, Delft University of Technology and the Hague University of Applied Sciences.
Awareness Campaigns	Study findings have made the catch-up of current generations a key prirority (National Cybersecurity Awareness Study 2017; National Cybersecurity Awareness Study 2019; in Dutch). This research reveals that citizens and businesses are not sufficiently aware of the dangers of the digital world, calling for measures to safguard them from the inherent risks. The business community and the government have already invested heavily in the awareness of citizens and small businesses on cyber threats through several campaigns such as: Veiliginternetten.nl (Dutch). Alert online (Dutch). Maakhetzeniettemakkelijk.nl (Dutch). Veiligbankieren.nl (Dutch). However, greater public-private cooperation can further boost these efforts by prioritising more cohesion into communications campaigns in the public domain. This also applies to the efforts of employers to make staff more digitally skilled and keep them up to date on cyber risks. Such approaches should be underpinned by digital guides on basic security measures for both businesses and citizens as a starting point for a stronger security posture and as a lever for further measures to be put in place.
Public-private partnerships	A key target of the Dutch 2018 cybersecurity strategy is having an integrated and strong public-private approach to cybersecurity with the NCTV taking the lead in promoting and ensuring the improvement of cybsecurity through a concerted effort by public authorities, the business community, science and civil society. Close public-private cooperation is the key to successfully designing, developing and assessing the approach taken, closely following the evolving threat landscape and linking effective market initiatives to the wider picture of the national strategy, such as including cybersecurity into the Corporate Governance Code, thereby making it subject to audit and review. The Agenda stipulates the following: Private sector: Making more concerted and cohesive efforts for the enhancement of cybersecurity. Public sector: Stepping up efforts in protecting essential digital services from failure, sabotage and disruption. This entails not only optimising digital services and guaranteeing high-quality services but also investing in information and cyber security and prioritising the availability and continuity of services. Government: Having a strong security posture and ensuring resilience to cyber-attacks under the coordination of the Board for Digital Government, including actions to be undertaken at inter-governmental level. Specific objectives are aimed at ensuring: Government has a coordinating role in the integrated approach to strengthening cybersecurity in the Netherlands. Dutch businesses, citizens and government organisations implement their respective responsibilities, rights and obligations with regard to cybersecurity. Coherent package of measures is in place to enhance the security of digital government in terms of the basic digital infrastructure, further standardising and harmonising frameworks of norms and information security, including the creation and implementation of a Government Information Security Baseline. Efforts must also be taken to reduce administrative burdens on municipalities for information security, including the bundling of audits and assessments in a single chain of accountability. Information and cyber security are embedded in the Digital Government Act. Measures: Ensuring the strenghtened coordination of the integrated approach under the responsibility of NCTV. Setting up a cybersecurity alliance committed to ensuring that public and private parties implement the measures of the national agenda. Monitoring the approach adopted under NCTV coordination and in cooperation with all parties involved and recalibrating actions based on technological and social developments. The first assessment of the Agenda measures will take place in 2021. Reinforcing cooperation between public authorities and the business community by creating a nationwide network of cybersecurity partnerships, where big companies will support small firms in increasing their knowledge. Implementing a coherent package of measures for information and cyber security in public administration as part of the broad agenda for digital government and coordinated through a dedicated forum.
IT/Cyber Clusters	The Dutch security cluster The Hague Security Delta is a network of businesses, governments and knowledge institutions, that work together on knowledge development and innovation in security. Their common goal is making the world more secure with more business activity and more jobs. The cluster is supported by the HSD Office with the goals of: Accelerating collaboration in the Dutch security cluster, connecting businesses, governments and knowledge institutions and facilitating knowledge sharing between them. Adopting a triple-helix cooperation approach: The Value of Cooperation - Innovation in Dutch Security in Perspective. Seting up innovation programmes that are open to all who are interested. In June 2016, the HSD took the first steps in connecting to security regions in France, Denmark, Finland and Germany, where the aim is to also create cross-sector co-operation. The other cyber security clusters joining HDS are: France: Aix-en-Provence, SAFE Cluster \| Denmark: Karup, CenSec \| Finland: Tampere Region, Safety and Security Cluster \| Germany: Karlsruhe, KIT \| Germany: Munich, Security Cluster. The ECP (Dutch) is a public-private platform for promoting the use of information and communications technology in the Netherlands. The Netherlands has also signed a memorandum of understanding on cyber security with Luxembourg and Belgium, including co-operation and expertise-sharing on the development of public-private partnerships.
EU Cyber Professional Register for national stakeholders	The CYBERWISER.eu CyPR is all about boosting opportunities in the cybersecurity marketplace. This European Cybersecurity Professional Register is the place where professionals, juniors or seniors, age can promote their specific skill sets and experiences in cybersecurity, courses taken and qualifications. Organisations of any size or sector from SMEs to large companies and public institutions can find and contact the right skills and experiences they need to improve their IT security posture.
Latest Update & Disclaimer	January 2021. The information contained here is based on desk research carried out by CYBERWISER.eu, including the ENISA interactive maps on national strategies and educational courses.

Cysersecurity Response Teams: GDPR and NIS Directive Compliance and Notification

Role of National Centre	The National Cyber Security Centre (NCSC) is the central information hub and centre of expertise for cyber security in the Netherlands. NCSC's mission is to contribute to the enhancement of the resilience of Dutch society in the digital domain, and thus to create a secure, open and stable information society. On an international level the NCSC is the Dutch point of contact in the field of ICT threats and cyber security incidents. The NCSC is also a key figure in the operational coordination at a major ICT crisis and the Computer Emergency Response Team (CERT) for the Dutch central government. The main activities of the NCSC are: Response to threats and incidents. Perception and action prospects. Improving crisis management Cyber security collaboration platform.
Report a cyber incident to national CERT/CSIRT	The NCSC NL has a National Cyber Security Operations Centre (NCSOC) which is available 24/7 as reporting centre. It detects new threats and vulnerabilities and provides its network of contacts with leads. By strengthening the NCSC, scaling up and realising a joint analysis and incident approach more quickly is possible in an emergency. The NCSC supports the central government of the Netherlands and providers of vital processes (Dutch). These organisations wishing to report a cyber incident and similar problems can contact the NCSOC and CERT inside and outside office hours via cert@ncsc.nl. NCSC NL Team Email 1: info@ncsc.nl Team Email 2: cert@ncsc.nl Telephone: +31 70 751 55 55 Public PGP Key
Best practices	The Netherlands has a sophisticated and mature legal and policy framework for cyber security, which includes the National Cyber Security Strategy and renews its cyber security framework every two years. The Netherlands National Cyber Security Centre works as an expanded CERT dealing with all cybersecurity related procedures and practices in a centralised manner. The centre also actively participates in the work of the Information Sharing and Analysis Centres (ISACs) for sectors involved with critical infrastructure.
Languages	Dutch and English (most information is available in English)
Latest Update & Disclaimer	January 2021. The information contained here is the result of desk research carried out by CYBERWISER.eu.

EDUCATION AND TRAINING IN NATIONAL CYBER SECURITY STRATEGY

Cysersecurity Response Teams: GDPR and NIS Directive Compliance and Notification

CYBERWISER.eu Cyber Range & Capacity Building in Cybersecurity

Error