Best practice
Recommended additional protectionsDo the authorities recommend additional cybersecurity protections beyond what is mandated by law?
In 2022, the Dutch government’s National Cyber Security Centre (NCSC) published The Netherlands Cybersecurity Strategy 2022–2028, but this provides for high-level and general policy initiatives.
The NCSC serves as the cybersecurity expertise centre in the Netherlands. When faced with threats and responsibilities, the NCSC issues security advice to organisations. The NCSC also provides guidance to the Dutch government and essential organisations on how to better protect themselves from digital threats by way of sharing information sheets, guidelines and handouts. The website veilginternetten.nl and the Alert Online campaign provide the public with tips on safe internet usage.
Government incentivesHow does the government incentivise organisations to improve their cybersecurity?
The Dutch government has announced it will spend large extra amounts on cybersecurity in the coming years. The new investments are intended to combat cybercrime more effectively, and to make The Netherlands digitally more resilient and secure. There are several governmental grants available in The Netherlands such as REACT-EU, the Netherlands Enterprise Agency (RVO), the Digital Trust Centre (part of Ministry of Economic Affairs and Climate Policy). Those grants aim to support programmes which are aimed to increase cyber resilience across many different industries.
The Cybersecurity Innovation Fund (CIF-NL) (part of the Netherlands Enterprise Agency) provides a grant for Netherlands-based companies or research organisations whose projects contribute to the (continued) development of cybersecurity solutions. This includes small and medium enterprises, large enterprises and research organisations.
The Digital Trust Center (DTC) stimulates partnerships of companies in non-essential sectors with a grant scheme. These could be sustainable collaborations in the chain, region, sector or industry. Projects that increase cyber resilience of companies in a structurally permanent way that is scalable for all entrepreneurs in the Netherlands can receive a grant of up to €200,000.00. There is also a grant scheme for small enterprises (1–50 employees and less than €10 million revenue in the last financial year).
Industry standards and codes of practiceIdentify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
NEN-EN-ISO/IEC 27001:2023, the Dutch version of ISO/IEC 27001 on Information security, cybersecurity and privacy protection is the main industry standard. In addition, certain industries have specific standards, such as the Good Practice of the Dutch Central Bank (DNB) intended for all financial institutions active in the Netherlands. In addition, with the TIBER-NL programme, led by the Cyber Unit of the DNB, the financial sector is working together to become more resilient to cyber-attacks.
Responding to breachesAre there generally recommended best practices and procedures for responding to breaches?
According to the NCSC, organisations should implement and maintain an incident response plan in case of breaches, such as ransomware attacks. Of course, every incident and every organisation are different. The incident response plan, therefore, does not offer a ready-made solution for all possible situations, it is more of a prompt to get started quickly and thus increase the cyber resilience of organisations. The basic cybersecurity measures for continuity management are also partly reflected in this. Proper backup facilities, tested and verified for integrity and without malware or unwanted encryption, are considered essential. A restore test of an entire volume or system may show what realistic recovery times are.
Voluntary information sharingDescribe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
There are a number of public-private initiatives in the Netherlands that accommodate voluntary sharing of information about cyberthreats. The Electronic Crimes Taskforce (ECTF) is a public-private initiative of the Netherlands National Police, ABN AMRO, ING, Rabobank, Dutch Banking Association, the Public Prosecution Service, and the Centre for Protection of the National Infrastructure (CPNI.NL). The ECTF became operational as of 2011. The ECTF focuses on information sharing at the tactical level, specifically regarding (financial) cybercrime. Aiming at strengthening the intelligence position of all partners, it produces innovative intervention strategies. The ECTF is housed at the Dutch National Police and therefore uses its organisational capabilities, technical features, and communication plans. Other initiatives that can be named are the Financial Intelligence Unit Netherlands, the Schiphol Public Security Platform (BPVS), Information Sharing and Analysis Centres (ISAC) and the National Detection Network (NDN). Entrepreneurs can also join the Digital Trust Center (DTC). The DTC helps entrepreneurs to work together with other organisations to increase their digital resilience in and between branches, sectors and regions; it provides organisations with information and advice to increase their cyber resilience, and distributes two types of cyber alerts: information on general serious vulnerabilities in commonly used enterprise software ICT systems; and company-specific threat information.
Public-private cooperationHow do the government and private sector cooperate to develop cybersecurity standards and procedures?
In 2022, the Dutch government published The Netherlands Cybersecurity Strategy 2022–2028 (NCSC), which is the result of a collaboration between public and private parties under the auspices of the National Coordinator for Counterterrorism and Security (NCTV), part of the Ministry of Justice and Security.
The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government and the business community (through the government) composed of high-ranking representatives from public and private sector organisations and the scientific community. The CSR undertakes efforts at strategic level to bolster cybersecurity in the Netherlands.
The NCSC encourages partnerships to share knowledge, information and support so that digital resilience in the Netherlands can be efficiently addressed. The Digital Trust Center (DTC) encourages partnerships for organisations in non-essential sectors; in certain cases support can be provided through a grant.
InsuranceIs insurance for cybersecurity breaches available in your jurisdiction and is such insurance obtainable for most organisations? How common is it?
Cybersecurity insurance has been available in the Netherlands since the early 2000s, marking its presence as a crucial risk mitigation tool in the evolving digital landscape. Over the last two decades, the cybersecurity insurance market in the country has evolved into a mature and well-established sector. It has become a standard policy offering, reflecting the recognition of the pervasive and evolving nature of cyber threats.
Most cybersecurity insurance policies in the Netherlands are designed to provide comprehensive coverage on a cyber-incident basis, addressing both first-party and third-party damages. First-party coverage protects the policyholder against damages resulting from a cyber incident directly affecting their organisation. On the other hand, third-party coverage extends protection to damages incurred by external entities as a consequence of a cyber incident for which the policyholder is held accountable.
These insurance policies typically offer a range of coverage, including incident-response services aimed at effectively managing and mitigating the aftermath of a cyber incident. These services often include IT-forensic research, legal expertise and public relations support. The inclusion of incident-response services underscores the proactive approach taken by insurers to help organisations respond promptly and effectively to cyber threats.
Moreover, cybersecurity insurance policies commonly cover damages arising from criminal activities or fraud, addressing the financial impact of incidents such as ransomware attacks and digital theft. This coverage ensures that organisations have financial protection in place to navigate the potentially devastating consequences of cybercriminal activities.
The prevalence of cybersecurity insurance has grown significantly, making it an integral component of risk management strategies for organisations across various industries. As the frequency and sophistication of cyber threats continue to increase, cybersecurity insurance has become a critical tool for businesses to mitigate the financial and reputational risks associated with cyber incidents.
