Cybersecurity and business in the Netherlands

Since the DigiNotar hack in 2011, the Dutch Government has been thinking about the digital protection of vital sectors of Dutch society. Since 1 January 2012, the National Cyber Security Centre (NCSC) has had the task of guarding the cyber security of vital parts of society. These tasks were then laid down in the Cyber Security Act and subsequently expanded in its successor, the Network and Information Systems Security Act (Wbni). For an outline of this Act, see this article.

This overview will show how the rest of the corporate and industrial companies in the Netherlands are protected by the Dutch government.

Digital Trust Center

What does the Dutch government do about digital threats and threats to businesses? And with that, the question is when does the government share threat information with Dutch businesses, and when does the Dutch government come to the rescue, in case of a concrete threat?

The Digital Trust Center (DTC) has a role to play here. The DTC was established in 2018 as a result of a motion passed in the House of representatives. The House of representatives expressed the need for the establishment of a centre (DTC) that:

"can inform and advise companies and social organisations about, as well as offer concrete help and support in improving their cyber security and repelling hacker attacks". (Parliamentary Papers II, 26 642, no. 474 - Motion Hijink/Tellegen).

The DTC falls under the Ministry of Economic Affairs and Climate (EZK).

No legal basis (yet) for receiving specific threat information

At the end of 2021, there is still no legal basis that specifically provides for the Ministry of Economic Affairs to receive, process and share personal data. And that is important because personal data is often part of concrete and specific threat information. Without a legal basis to provide personal data, it is therefore often not possible to exchange threat information.

Bill - DTC tasks

That is why there is now a bill entitled 'Act to Promote Digital Resilience in Businesses'. A very important point of this bill is that it aims to provide a legal basis for the sharing of personal data as part of threat intelligence.

The bill lays down the tasks of the DTC. The two main tasks of the DTC are i) to inform and advise, and ii) to facilitate cooperation between private parties.

Situation at the end of 2021 for 'non vital companies’

At the moment, it is therefore not easy for Dutch companies to inform themselves, or have themselves informed, of concrete threats. Moreover, the government has already indicated in the Explanatory Memorandum that it is not the intention that the government will act as a 'digital fire brigade'. So there is certainly a considerable challenge for businesses in the Netherlands to obtain the right information on cyber threats on time.

In September 2021, the DTC did receive the Objectively Recognisable Task (OKTT) status from the National Cyber Security Centre (NCSC). This means that the DTC can already receive concrete threat information from the NCSC. It is therefore not only important to be well informed about the legal possibilities, but also certainly to follow news events closely.

Quick scan

At Ploum, we are happy to help you and your company find the right information to protect your company against cyber security incidents. For example, we can perform a Quick Scan to provide an overview of the possibilities for your company and the rules that apply to your company in the field of cyber security.