Netherlands (NL)

The current Cybersecurity strategy of the Netherlands, National Cyber Security Strategy 2 - From Awareness to Capability, covers the period 2014-2016. It revises and reinforces the 2011 strategy, extending alliances with public and private parties, both national and international, setting out responsibilies and concrete steps over a two-year period. The strategy was developed in consultation with over 130 public and private organisations and the experts forming part of a government-appointed Cyber Security Board.

Obj. 1 - Risk analyses, security requirements and information sharing within critical infrastructure sectors: Within the framework of the protection of critical infrastructure, the government, working with key parties, identifies critical ICT-dependent systems, services and processes. These efforts are linked to a programme that will establish basic security requirements (cyber hygiene) on the basis of risk analyses.

Obj. 2 - More active approach to cyber espionage: The Dutch government is committed to raising awareness among citizens, businesses, organisation and government bodies about information security and privacy. The government also ensures that the issue is prioritised within the intelligence and security services,
which will be given the tools to better document cyber threats and investigate and combat advanced attacks. To this end, the intelligence and security services have combined their cyber capabilities in the Joint Sigint Cyber Unit (JSCU).

Obj. 3 - Feasibility study on separate vital network: An exploratory study is conducted to determine whether it is possible and useful, from both a technical and
organisational perspective, to create a separate ICT network for public and private vital processes. A separate network widens the range of options for safeguarding
the continuity of vital processes. It also makes it possible to set up private, cloud-based data storage, thus strengthening the privacy and integrity of the data in storage or in the cloud concerned.

Obj. 4 - Enhancing civil-military cooperation: Civil and military domains within the digital domain have become more intertwined. Therefore, options for deploying the digital capabilities of the Netherlands Defence organisation on a national level in preventing and countering attacks on the civil infrastructure will be detailed. The central question is how to optimally share knowledge and expertise between civil parties and the Defence organisation.

Obj. 5 - Strengthening the National Cyber Security Centre: The position of the National Cyber Security Centre (NCSC) is bolstered by means of a stronger structure for confidential information-sharing and analysis. Furthermore, the NCSC assumes the role of expert authority, providing advice to private and public parties involved, both when asked and at its own initiative. Finally, based on its own detection capability and its triage role in crises, the NCSC develops into Security Operations Centre (SOC) in addition to its role as a Computer Emergency Response Team (CERT). The SOC covers the cybersecurity chain: awareness, resilience, detection, reporting and crisis management.

 Obj. 6 - International approach to cyber crime: updating and strengthening legislation (including the Criminal Code): There is a need for effective, swift and efficient investigation of cyber crime in accordance with clear rules. Scarce capabilities have to be targetedly deployed among vulnerable sectors and groups. The Netherlands assumes a vanguard role in harmonising legislation governing international investigations, for instance in the Council of Europe. The Netherlands will also work to strengthen and expand international partnerships like EC3, at Europol.

Obj. 7 - Supported standards, ‘security by design’ and ‘privacy by design’: Together with private sector partners, the government works to develop standards that can be used to protect and improve the security of ICT products and services.

Obj. 8 - Cyber diplomacy: hub for expertise for conflict prevention: The Netherlands aims to develop a hub for expertise on international law and cyber security. The goal of the hub for expertise is to promote the peaceful use of the digital domain. To this end, the Netherlands combines knowledge from existing centres. The centre brings together international experts and policymakers, diplomats, military personnel and NGOs.

Obj. 9 - Taskforce on cyber security education: To enlarge the pool of cyber security experts and enhance users’ proficiency with cyber security, the business community and the government join forces to improve the quality and breadth of ICT education at all academic levels (primary, secondary and professional education). A PPP taskforce on cyber security education is set up which will focus on giving advice about cyber security education.

Obj. 10 - Encouraging innovation in cyber security: There is a need for more coordination of supply and demand, which can be achieved by linking innovation
initiatives to leading sector policy. In addition, the government, the business community and the world of academia will launch a cyber security innovation platform
where start-ups, established companies, students and researchers can connect, inspire one another and attune research supply and demand.

 

NATIONAL CYBER SECURITY STRATEGY - NIS Capacities

Year of adoption

2013; 2011

This first strategy, From Ignorance to Awareness, focused on establishing public-private partnerships, capacity-building and relience-increasing measures (NCSS1). The second strategy, From Awareness to Capacity, is based on the progress resulting from the first strategy and new priority areas emerging since 2011 with a focus on:

  • Private-public participation.
  • Focus on networks / strategic coalitions.
  • Clarifying the relationships between the various stakeholders.
  • Capacity-building both in the Netherlands and abroad.
  • Risk-based approach: balance between protection of interests.
  • threat to interests and acceptable risks in society.
  • Presentation of (policy) vision.
  • From awareness to capability.
Updates and revisions

The Dutch cybersecurity framework is renewed every two years.

In August 2017, the Dutch government published Cyber Security Assessment Netherlands 2017: Digital resilience is lagging behind the increasing threat (https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Net...). The report highlights the need for more intensified actions in view of the fast evolving threat landscape, including new vulnerabilities related to the Internet of Things (IoT). More governement investments  are required to improve knowledge and expertise, strengthen co-operation between businesses, education and critical infrastructures, building more effective public-private partnerships, detecting digital threats and combatting cybercrime.

In February 2017, the Dutch government announced it was working towards increasing the country's approach to diplomacy, defence and development to address the growing threat of cyber attacks from hostile countries and criminals. To this end, it will supplement international laws to suit the needs of the new digital world, as well as actions to build trust across countries.

The 2014-2016 strategy is in line with the fundamental principles of the EU Cyber Security Strategy. Its aim is to ensure the Netherlands is secure, free and open Internet, with greater protection of critical infrastructure, such as government, energy, banks and others, against cyber attacks. To this end, the Netherlands will push for an alliance of countries, international organisations, the IT community, academics and civil society. The country therefore intends to take a leading role in building a strong cyber defence alliance through NATO. It also encourages co-operation with other countries in tracking down cyber criminals. The Dutch government also wants to improve international agreements on online security.

Operational capacity building

The National Cyber Security Centre (NCSC.NL) (Dutch, English) was established in 2012 and incorporates the Dutch Computer Emergency Response Team (CERT) for the Dutch central government. NCSC.NL is responsible for the coordination of incident response measures for the Dutch government institutions, as well as entities engaged with critical infrastructure.

The NCSS covers multiple functions, such as managing the reporting of cybersecurity incidents with a multi-channel reporting structure to log cybersecurity incidents. The Centre is also responsible for maintaining a national detection response network for the government sector and entities engaged in the event of a cyber security are not publicly available.

The centre also actively participates in the work of the Information Sharing and Analysis Centres (ISACs) for sectors involved with critical infrastructure.

Legal conditions

The Netherlands has a sophisticated and mature legal and policy framework for cybersecurity, which includes the National Cyber Security Strategy 2.

Information security is covered largely by the Government Decision on Information Security — Special Information 2013 and by Guidelines of the NCSC NL:

  • There is no specific legal requirement for the establishment of a written information security plan.
  • There is, however, legislation that requires an inventory of systems and classification of data based on specific risk levels.
  • There is the legal requirement for each information system to go through periodic audits but no mandatory timeframe is set. The annual CSAN reports do not cover an audit of cybersecurity practices and procedures. However, the CSAN contains a general cyber-risk assessment for the Netherlands, supported by incident data and a detailed analysis of detected cyber threats.
  • There is no llegal requirement that each agency to have a chief information officer or chief security officer. The legislation on information security details the duties and responsibilities of security officers, which should be assigned at ministerial level but without the obligation for each ministry to assign such a role.

Reporting: there is currently no mandatory requirement to report a cyber incident.

Critical infrastructure: Both the policy letter Protecting Critical Infrastructure 2005 and the Third Progress Letter on National Security 2010 include appropriate definitions for "critical infrastructure protection".

Accreditation/certification schemes: The Netherlands recognises international certification schemes for information security but only has local accreditation requirements for organisations handling some specific Government classified material.

ePrivacy: In May 2013, the government’s vision on e-privacy was published. The aim is to enable citizens to better control their personal information through the inclusion of the requirement of consent. Organisations are obliged to carefully, transparently and legally handle any information issued by citizens, and citizens should be able to call organisation to account.

Public Private partnerships

The Dutch government is actively seeking to make the Netherlands a global leader on cyber issues.

One of the tasks of the National Cyber Security Centre (NCSC.NL) is to liaise with the private sector. The Netherlands also hosts several public-private partnerships on cyber security.

The ECP is a public-private platform for promoting the use of information and communications technology in the Netherlands. 

The European Network for Cyber Security is a network of representatives from academia, government and business.

The Netherlands has also signed a memorandum of understanding on cyber security with Luxembourg and Belgium, including co-operation and expertise-sharing on the development of public-private partnerships.

The Hague Security Delta is a cluster of Dutch companies and other relevant institutions that deal directly with cyber security and the largest in Europe. In June 2016, the HSD took the first steps in connecting to security regions in France, Denmark, Finland and Germany, where the aim is to also create cross-sector co-operation. The other cyber security clusters joining HDS are: France: Aix-en-Provence, SAFE Cluster | Denmark: Karup, CenSec | Finland: Tampere Region, Safety and Security Cluster | Germany: Karlsruhe, KIT | Germany: Munich, Security Cluster.

Other capacity-building measures: research and education

A PPP taskforce on cybersecurity education is set up which will focus on giving advice about cybersecurity education. The 2014-2016 strategy steps up efforts to improve the quality and breadth of ICT education at all academic levels (primary, secondary and professional education).

The government, the business community and academia will launch a cybersecurity innovation platform where start-ups, established companies, students and researchers can connect, inspire one another and attune research supply and demand. The PPP implementation of the second edition of the National CyberSecurity Research Agenda (NCSRA) will also contribute to this development.

Implementation and Monitoring

The Netherlands performs an annual report on cyber security (CSAN - Cyber Security Assessment Netherlands): 2016 Report.

Reports are based on a close public-private collaboration, serving also to define future actions to increase resilience.

Latest update

July 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

The NCSC NL has a National Cyber Security Operations Centre (NCSOC) which is available 24/7 as reporting centre. It detects new threats and vulnerabilities and provides its network of contacts with leads. By strengthening the NCSC, scaling up and realising a joint analysis and incident approach more quickly is possible in an emergency.

The NCSC supports the central government of the Netherlands and providers of vital processes (Dutch). These organisations wishing to report a cyber incident and similar problems can contact the NCSOC and CERT inside and outside office hours via cert@ncsc.nl.

NCSC NL

Best practices

The Netherlands has a sophisticated and mature legal and policy framework for cyber security, which includes the National Cyber Security Strategy and renews its cyber security framework every two years.

The Netherlands National Cyber Security Centre works as an expanded CERT dealing with all cybersecurity related procedures and practices in a centralised manner. The centre also actively participates in the work of the Information Sharing and Analysis Centres (ISACs) for sectors involved with critical infrastructure.

Guidance and Updates

The NCSC is constantly working on preventing and responding to cyber-attacks. This is done by scanning hundreds of sources on the internet. This consequently provides the NCSC with continuous insight into current threats. Incident Response provides the NCSC with content for the fulfilment of its mission: it contributes to increasing the Dutch society's ability to defend itself in the digital domain, and consequently to creating a safe, open and stable information society.

It runs a monitoring service that permanently scans hundreds of information sources for viruses and vulnerabilities.

The National Detection Network (NDN) is a partnership for better and faster detection of digital dangers and risks. By sharing information about threats, parties can take appropriate measures in a timely manner under their own responsibility, to limit or to prevent possible damage.

The NCSC reports both on cyber security events and risk intelligence, e.g. NCSC releates factsheet indicators of Compromise (June 2017).

Languages Dutch and English (most information is available in English)
Latest update July 2017

 

Contact us for more info