Netherlands (NL)

Current status: National Cyber Security Strategy

The Netherlands first published its national cyber security strategy in 2011. A revised and strengthened strategy, National Cyber Security Strategy 2 - From Awareness to Capability, extends alliances with public and private parties, both national and international, setting out responsibilies and concrete steps for the period 2014-2016. The strategy was developed in consultation with over 130 public and private organisations and the experts forming part of a government-appointed Cyber Security Board.

The Strategy is based on 6 principles:

  • Private-public participation.
  • Focus on networks and strategic coalitions.
  • Clear relationships between the different stakeholders and clear governance model.
  • Capacity building, both at home and abroad: "From awareness to capabity".
  • Risk-based approach: balance between protection of interests, threat to interests and acceptable risks in society.
  • Policy vision.

OBJ #1 - Risk analyses, security requirements and information sharing within critical infrastructure sectors.

OBJ #2 - More active approach to cyber espionage.

OBJ #3 - Feasibility study on separate vital network.

OBJ #4 - Enhancing civil-military cooperation.

OBJ #5 - Strengthening the National Cyber Security Centre

OBJ #6 - International approach to cyber crime: updating and strengthening legislation (including the Criminal Code).

OBJ #7 - Supported standards, ‘security by design’ and ‘privacy by design’.

OBJ #8 - Cyber diplomacy: hub for expertise for conflict prevention.

OBJ #9 - Taskforce on cyber security education.

OBJ #10 - Encouraging innovation in cyber security.

National Cyber Security Strategy

Year of adoption

The National Cyber Security Strategy 2 provides a comprehensive assessment of the cyber risks facing the Netherlands and the best practices needed to address them. Each objective and related action items is mapped to a broad expected delivery date.

NCSS2 comes after a first strategy published in 2011. This first strategy, From Ignorance to Awareness, focused on establishing public-private partnerships, capacity-building and relience-increasing measures (NCSS1). The second strategy, From Awareness to Capacity, is based on the progress resulting from the first strategy and new priority areas emerging since 2011.

Each year, the government publishes its Cyber Security Assessment Netherlands (CSAN) based on a close public-private collaboration, serving also to define future actions to increase resilience.

Updates and revisions 2011 and 2013.
Implementation and monitoring

The Dutch NCSS2 is in line with the fundamental principles of the EU Cyber Security Strategy. Specific implementations include:

- International Security Strategy (EU and global collaborations).

- Defence Cyber Strategy (in increasingly connected society).

- Dutch Digital Agenda (ICT as growth engine).

- Information Security Awareness Strategy (for government administrations and managers through active awareness policy to achieve right level of security, also in view of Digital Government 2017).

- ePrivacy Letters (protection of personal details).

- Telecommunications market (reivew with regard to its role in the digital economy).

The policy letter Protecting Critical Infrastructure 2005 and the Third Progress Letter on National Security 2010 provide an assessment of the quality of the protection of Dutch critical infrastructure.

Main measures  related to businesses and public-private partnerships

One of the tasks of the National Cyber Security Centre (NCSC.NL) is to liaise with the private sector. The Netherlands also hosts two major public-private partnerships on cyber security.
- The ECP is a public-private platform for promoting the use of information and communications technology in the Netherlands. 

- The National Continuity Forum (NCO-T) is a public-private partnership between the government and providers of telecommunications networks.
The Netherlands has also signed a memorandum of understanding on cyber security with Luxembourg and Belgium, including co-operation and expertise-sharing on the development of public-private partnerships.

The Hague Security Delta is a cluster of Dutch companies and other relevant institutions that deal directly with cyber security and the largest in Europe. In June 2016, the HSD took the first steps in connecting to security regions in France, Denmark, Finland and Germany, where the aim is to also create cross-sector co-operation. The other cyber security clusters joining HDS are:

France: Aix-en-Provence, SAFE Cluster | Denmark: Karup, CenSec | Finland: Tampere Region, Safety and Security Cluster | Germany: Karlsruhe, KIT | Germany: Munich, Security Cluster.

Risk assessment plan  
Progress measures



Current status: NIS Directive and national CERTs/CSIRTs

Computer security Response Teams

The National Cyber Security Centre (NCSC.NL) was established in 2012 and incorporated the CERT function. The NCSC.NL is responsible for the coordination of incident response measures for the Dutch government institutions, as well as entities engaged with critical infrastructure.

The NCSS covers multiple functions, such as managing the reporting of cybersecurity incidents with a multi-channel reporting structure to log cybersecurity incidents. The Centre is also responsible for maintaining a national detection response network for the government sector and entities engaged in the event of a cyber security are not publicly available.

Best practices:

The Netherlands has a sophisticated and mature legal and policy framework for cyber security, which includes the National Cyber Security Strategy and renews its cyber security framework every two years.

The Netherlands also has a National Cyber Security Centre, an expanded CERT dealing with all cyber security related procedures and practices in a centralised manner. The centre also actively participates in the work of the Information Sharing and Analysis Centres (ISACs) for sectors involved with critical infrastructure.

Monitoring system

Annual report on progress and bi-yearly renewed strategy.

Report an incident  
Date inserted September 2016


Contact us for more info