National Cyber Security Agenda - ENISA · A cyber secure Netherlands National Cyber Security Agenda...

A cyber secure Netherlands National Cyber Security Agenda | 1

National Cyber Security AgendaA cyber secure Netherlands


ContentsForeword 5

Summary 7

Cyber security: the foundation for economic opportunity and social values 9

Espionage, sabotage and professional crime: threats in the digital domain 11

Strategic principles 13

The National Cyber Security Agenda 171. The Netherlands has adequate digital capabilities to detect, mitigate

and respond decisively to cyber threats 192. The Netherlands contributes to international peace and security in

the digital domain 233. The Netherlands is at the forefront of digitally secure hardware and

software 274. The Netherlands has resilient digital processes and a robust

infrastructure 315. The Netherlands has successful barriers against cybercrime 356. The Netherlands leads the way in the field of cybersecurity

knowledge development 397. The Netherlands has an integrated and strong public-private

approach to cybersecurity 43


Foreword

Security in the digital domain is a top priority for thecabinet. This is why we committed to a structuralinvestment of 95 million euros in cybersecurity in thecoalition agreement. In recent months, variousdepartments, in close cooperation with parties in thepublic and private sectors, the scientific community andsociety, have been hard at work on an ambitious,government wide National Cyber Security Agenda. As thecoordinating Minister for cybersecurity, I am proud topresent the product of this successful cooperation!

We have formulated seven challenging ambitions whichcollectively will contribute to a secure, digitalNetherlands. What is crucial to all of this is that theNetherlands has adequate digital capabilities to detect,mitigate and respond decisively to cyber threats .Government bodies and private organisations in theNetherlands must cooperate on for an effectiveintegrated approach to cybersecurity. If all parties fulfiltheir responsibilities and have adequate capabilities andresources, then we can react decisively to digital threats.

For the government, this means above all: a strongcoordinating role which stimulates and creates thenecessary preconditions. This is to ensure that thebusiness community and the citizens can shape theirown digital security and resilience because, after all, theyremain responsible for this themselves. If we are tocontinue to be able to exploit the opportunities ofdigitalisation in the long-term we must be able tosecurely navigate the digital world. Cybersecurity is thefoundation for all successful entrepreneurship andadministration and for confidence in the digital domain:this shared interest means that we are mutuallydependent and share responsibility for national security.Because national borders play hardly any role at all in thedigital world, the approach will also have to be stronglyinternationally oriented. The Netherlands must thereforealso continue to work on strengthening digital security atthe EU and NATO level.

Over the coming months, we will further elaborate theambitions from the National Cyber Security Agenda intoconcrete measures in close cooperation with thedepartments and other partners involved.

Of course, this agenda is not set in stone. Over thecoming years, it will be important to keep a finger on thepulse to closely follow technological and socialdevelopments to see where new digital vulnerabilitiesand threats may occur.

In presenting this National Cyber Security Agenda we aretaking a crucial step towards a more secure digitalNetherlands. This is the basis upon which we cancontinue to build towards a secure digital domain inwhich citizens, businesses and government agencies cancapitalize on the economic and social opportunitiesoffered by digitalisation!

Ferd GrapperhausMinister of Justice and Security


The Netherlands is in an outstanding position tocapitalize on the economic and social opportunities ofdigitalisation. At the same time, vulnerabilities andthreats in the digital domain are increasing. The threatfrom professional criminals is growing and continues todevelop. State actors focus on digital economic andpolitical espionage and on making preparations fordigital sabotage. Not only are the number of countriesthat are developing digital attack capabilities increasing,the attacks that are carried out are also becomingincreasingly complex. This forms a direct threat to oureconomic interests and national security.

These developments call for an increased effort tostrengthen the approach to cybersecurity and therebybetter protect the vital interests of the Netherlands. TheNational Cyber Security Agenda (NCSA) sets out theframework for the next step required in cybersecurity.The joint direction is laid out and various measures areconsidered collectively. This enhances the impact ofpublic and private actions. The following principles areleading here:• Cybersecurity is inextricably linked to national

security: as a result of digitalisation, national securityinterests are vulnerable to digital attacks.

• Security in the digital domain can only be shaped incooperation with and in part by the businesscommunity. Public-private cooperation thereforeforms the basis for the Dutch approach tocybersecurity.

• The government represents public interests: a digitalsecure Netherlands, by recognizing threats to vitalinterests and by strengthening resilience. The businesscommunity and citizens are encouraged to shape theirown responsibilities and security. In addition, thegovernment, as a public body, is obliged to have thecybersecurity of its own processes in order and to set agood example as a launching customer.

• Knowledge is crucial to cybersecurity: sharing theavailable knowledge and promoting informationsharing by the public and private sector is needed tostrengthen cybersecurity across the board. In addition,

Summary

it is necessary to (continue to) stimulate bothfundamental and applied research into cybersecurity,to develop the Dutch cybersecurity knowledgeposition.

• The objective is the mainstreaming of cybersecurity:digital security must be part of the everyday processesof every organisation.

• The digital domain is not confined by nationalborders. A Dutch approach to cybersecurity must takethe international dimension into account of data,connections, internet governance and actors whocarry out digital attacks. A more secure digital domainis therefore one of the Netherlands’ priorities in,amongst others, NATO and the EU.

• Finally: the tension between the interests of freedom,security and economic growth is inherent in thedevelopment of cybersecurity. By taking this intoaccount, we want to weigh the dilemmas incybersecurity more explicitly and set the course basedon transparent and substantiated decision-making.

The NCSA comprises seven ambitions that contributetowards the following objective: The Netherlands is capableof capitalizing on the economic and social opportunities ofdigitalisation in a secure way and of protecting nationalsecurity in the digital domain.

1. The Netherlands has adequate digital capabilities todetect, mitigate and respond decisively to cyberthreats

2. The Netherlands contributes to international peaceand security in the digital domain

3. The Netherlands is at the forefront of digitally securehardware and software

4. The Netherlands has resilient digital processes and arobust infrastructure

5. The Netherlands has successful barriers againstcybercrime

6. The Netherlands leads the way in the field ofcybersecurity knowledge development

7. The Netherlands has an integrated and strong public-private approach to cybersecurity

Cyber security the foundation for economic opportunities and social values in the digital domain


The Netherlands is one of the most digitalized countriesin the world. This offers us outstanding conditions to bean international leader in securely, freely and quicklyadopting and using new technologies. These newtechnologies play an increasingly significant role in ourdaily lives. One example is e-commerce, others includedigital communication with our doctor, school and thepublic authorities. Moreover, far-reaching digitalisationin care (e-health), mobility (e-automotive), the growth ininternet-connected devices and appliances (Internet ofThings), key technologies such as big data, 5G, quantumcomputers and artificial intelligence ensures that thedigital domain and the physical domain are becomingmore closely interwoven. These developments also raiseethical questions in regard to privacy and dealing withdata. Protecting values and fundamental rights in thedigital domain is also an important component ofcybersecurity. Citizens must be able to count on the facttheir fundamental rights are assured both online andoffline and that their privacy is also being guaranteed inthe digital domain.

These technological and social developments have alsoled to an increase in the vulnerabilities in the digitaldomain, a trend that is expected to continue in comingyears. It is precisely because every aspect of society –social and economic – increasingly depends on digitalprocesses that digital attacks can directly damage oureconomy and threaten national security. After all, socialprocesses are easier to disrupt on a large scale. Theincreased vulnerability is apparent from the successiveCyber Security Assessments Netherlands, in which Dutchintelligence and security services, the National

Coordinator for Security and Counterterrorism (NCTV),the National Cyber Security Center (NCSC) and the policeindicate a worrying increase in digital threats. Moreover,resilience is lagging behind the development of thethreat. This situation requires additional efforts frompublic authorities, the business community and citizensto protect Dutch interests and to strengthen the Dutchapproach to cybersecurity in the interests of nationalsecurity.

At the same time, cybersecurity as a business sector alsoprovides economic and social opportunities: a strongDutch cybersecurity sector stimulates the developmentof knowledge, the labour market and employmentopportunities and contributes to the Netherlands’international profile in the economic, military andsecurity fields. Moreover, a strong Dutch cybersecuritysector contributes towards digital autonomy: publicauthorities and the business community can rely on theirown solutions for digital security and they also fosterdigital security in the broadest sense by acquiringcybersecurity services for their own processes. Thisincentive also fosters the export of Dutch values such asan open, free and secure internet. In this way, theNetherlands also improves its position internationally asa known and recognized collaboration partner andcybersecurity authority.

8 | National Cyber Security Agenda A cyber secure Netherlands

These seven ambitions have been elaborated intoobjectives and measures that will be implemented inclose public-private cooperation. To ensure this, acybersecurity alliance will be formed betweengovernment bodies and businesses in which they willcommit to jointly strengthening the Dutch approach tocybersecurity.

Definition of cybersecurityCybersecurity is the entirety of measures to preventdamage caused by disruption, failure or misuse ofICT and to recover should damage occur.


Digital sabotage or disruption can directly lead todamage to national security. The greatest threat in thedigital field comes from criminals and state actors.Digitalisation has permeated into all levels of Dutchsociety and the economy. Consequently, our society hasbecome fully dependent on digital resources. Theundisturbed functioning of these resources is essentialto vital processes in business and government, theearning power of companies and the daily lives ofcitizens. Incidents in recent years have made it clearthat digital attacks can have a major impact on societyand can lead to damage to physical and nationalsecurity. The threat from professional criminals isgrowing and continues to develop. Successful criminalrevenue models, such as ransomware continue todevelop and are being expanded. The almost cost-freescalability of digital attacks is of particular interest tocriminals.

It is not only consumers who fall victim. Businesses andfinancial institutions are also targets for criminals. Morecomplex methods of attack are becoming more widelyavailable due to developments such as cybercrime as aservice. As a result of this, more and more actors withlimited knowledge and resources can carry out attacksthat in some cases have direct social impact.

State actors are structurally targeting Dutchgovernment agencies and companies in theNetherlands for digital espionage.For instance,multinationals and research institutes in the de energy,

hightech, and chemical sectors have been victims ofdigital espionage. In these digital break-ins, terabytes ofconfidential information was stolen which represents asubstantial economic value. State actors focus on digitaleconomic and political espionage and on makingpreparations for digital sabotage. Not only are thenumber of countries that are developing digital attackcapabilities increasing, the attacks that are carried outare also becoming increasingly complex. In addition, lastyear state actors also focused on digitally influencingdemocratic processes for geopolitical gain. To safeguardgeopolitical interests, nations are investing in civilianand military cyber capabilities.


THE SCOPE OF CYBERSECURITY: A CYBER SECURENETHERLANDSThe Minister of Justice and Security is the coordinatingMinister for cybersecurity and coordinates theimplementation of the NCSA. Within the framework allparties have their own tasks and responsibilities.However, also in the digital domain a 100% security isnot realistic. This broad Dutch approach to cybersecurityis implemented as part of protecting national security,which is coordinated by the NCTV.

POLICY RESPONSIBILITIES IN THE DIGITAL DOMAINThe cybersecurity policy field focuses on preventingdamage caused by disruption, failure and misuse of ICT.Various policy issues are related to this; responsibility foraddressing them lies with other ministers. This concernsin particular the Ministry of the Interior and KingdomRelations (BZK) because of the responsibility for digitalgovernment and the General Intelligence and SecurityService (AIVD), the Ministry of Economic Affairs andClimate Policy (EZK) in connection with digitalisation, theMinistry of Foreign Affairs (BZ) because of thecoordinating role in international peace and security andfinally the Ministry of Defence (Def) in relation to theconstitutional duties of the armed forces in the digitaldomain. The NCSA is closely related to the followingstrategic documents: The Digitalisation Strategy(Digitaliseringsstrategieunder development), the BroadAgenda for Digital Government Brede Agenda DigitaleOverheidunder development), the Defence Memorandum(Defensienota) and the Integrated Foreign and SecurityStrategy (Geïntegreerde Buitenland- en Veiligheidsstrategie)and the International Cyber Strategy and DefenceStrategy (Internationale Cyberstrategie en DefensieCyberstrategieunder development).

Espionage, sabotage and professional crime threats in the digital domain

Example: Cybercrime as a service and ransomwareCybercriminals do not by any means perform allsteps in an attack themselves. They often buyservices and expertise. An example of this isransomware: a type of malicious software thatblocks systems and/or the information they containand only makes them accessible again againstpayment of a ransom. If a criminal wants todistribute ransomware they pay someone todevelop it, for instance, and someone else todistribute the ransomware by email to millions ofaddressees. These services are provided veryprofessionally and completely: from technicalresources to infrastructure and helpdeskfunctionality.

From National Cyber Security Strategy 2011 toNational Cyber Security Agenda 2018The NCSA builds further upon the effects that wererealised with previous the National Cyber SecurityStrategies from 2011 and 2013. The vision from thesestrategies is still leading: ‘The Netherlands, together withher international partners, is committed to a secure and opencyber domain in which the opportunities offered to oursociety by digitalisation are fully exploited, threats aremitigated, and fundamental rights and values are protected.’The agenda indicates a joint course which clarifieswhat government bodies and private parties canfocus their (joint) activities on. The NCSA reviewsvarious measures in conjunction, links them inguiding objectives and in doing so reinforces theirimpact.


An effective approach to cybersecurity also takes thedynamics that are specific to the digital domain intoaccount. This requires strategic principles fordetermining ambitions and measures.

CYBERSECURITY IS AN INTEGRAL PART OF NATIONALSECURITYCybersecurity is inextricably linked to national securityand the smooth functioning of society. As a result ofdigitalisation, society has become vulnerable todisruptions from digital attacks. Because of theconnectivity of the digital society, simple digital attackscan quickly disrupt digital processes. A basic level ofcybersecurity is needed to increase resilience againstthese kind of attacks. Citizens, businesses and publicauthorities must endeavour to improve their digitalsecurity and the government must also be able to fulfilits protective duty in the digital domain. Capabilitiesand resources to address threats should be in order.Finally, national security and cybersecurity should be abasic consideration in the further development of thegovernment’s digital processes. This means that thegovernment will develop cybersecurity requirements forprocuring its own ICT resources. These requirementswill also include economic security considerations toimprove resilience against state actors.

PUBLIC-PRIVATE COOPERATION IS THE BASISSecurity in the digital domain can only be shaped incooperation with, and to a significant extent by, thebusiness community. Public-private cooperationtherefore forms the basis for the Dutch approach tocybersecurity. Current practice in this cooperationshows that there is a need for a clear division ofresponsibilities in the digital domain. Thoseresponsibilities will, in part, be based on existing lawsand regulations on security, assurances of supply andmarket organisation. However, new issues will also arisewhere the responsibilities between public authorities,the business community and citizens will have to beestablished (or re-established). This is why this Agendafavours an integrated approach to cybersecurity, whichrequires joint efforts from the business community,social organisations and the various governmentbodies.

GOVERNMENT REPRESENTS PUBLIC INTERESTS,STIMULATES ACCEPTANCE OF OWNRESPONSIBILITIES AND SETS A GOOD EXAMPLEA key task of the government is to take the lead in thecommitment to a secure and stable Netherlands byrecognizing threats to vital interests and increasing theresilience of those interests. This means that thegovernment ensures an appropriate approach to andpreparations for crises and incidents that threatensocial continuity, even though 100% security is notpossible in the digital domain either. Approximately80% of the critical infrastructure is in private hands. Thegovernment therefore encourages the businesscommunity and citizens to shape their ownresponsibilities in the best possible way. Wherenecessary, stimuli will be provided or frameworks willbe set up to create the preconditions for securebehaviour in the digital domain. The open nature of theinternet can lead to widespread vulnerabilities. Wherethe misuse of products, services or processes puts thecontinuity of society at risk, the government sets specialrequirements for producers, purchasers, consumers andservice providers. Finally, the government, as a publicbody, is obliged to have the cybersecurity of its ownprocesses in order and thereby, as a launchingcustomer, also sets a good example.

KNOWLEDGE DEVELOPMENT AND INFORMATIONSHARING ARE CRUCIALKnowledge is crucial to cybersecurity: sharing theavailable knowledge and promoting information sharingby the public and private sector is needed to strengthencybersecurity and resilience across the board. In addition,it is necessary to (continue to) stimulate bothfundamental and applied research into cybersecurity, todevelop the Dutch cybersecurity knowledge position.Having our own high-quality scientific knowledge andapplications will contribute to the digital autonomy ofthe Netherlands and/or Europe.

MAINSTREAMING OF CYBERSECURITY IS APRECONDITIONDigitalisation permeates through to all facets of society.Cybersecurity forms the basis for successfulentrepreneurship, administration and participation in


Cyber attacks impact on our society. For example,citizens have to contend with the consequences ofidentity theft or the loss of personal photos due to aransomware infection. Such attacks have the potentialto undermine trust in the digital society. Cyber attacks bycriminals or state actors can undermine the Dutcheconomy through theft of sensitive or valuableinformation and thereby damage confidence ineconomic activity.

Example: NotPetyaThe NotPetya case is an example of a digital attackwith considerable consequences for Dutchbusinesses. In June 2017, organisations across theglobe fell victim to a ransomware attack. In theNetherlands, this ransomware affected the businessoperations of APM’s container terminal and TNT’sparcel deliveries, among others. Containerprocessing at APM was halted for several days andTNT’s deliveries were also delayed as a result of theattack. Although the Ukraine seemed to be theprimary target of this attack, there were significantconsequences for Dutch businesses.

Strategic principles

A cyber secure Netherlands National Cyber Security Agenda | 1514 | National Cyber Security Agenda A cyber secure Netherlands

society. There is a need for public authorities andbusinesses to be better able to or enabled to organisetheir digital security and make that digital security part oftheir daily processes, products and services (themainstreaming of cyber security). Citizens and/or endusers also have a responsibility in safeguarding their owndigital security: a basic level of cyber ecurity should bepart of secure behaviour in everyday life.

THE DIGITAL DOMAIN HAS NO NATIONAL BORDERSThe digital domain is, by definition, not confined bynational borders. A Dutch approach to cybersecuritymust take the international dimension of data,connections, internet governance and actors who carryout digital attacks into account. This is why a moresecure digital domain is one of the Netherlands’priorities at the EU and NATO level. After all, an alliancethat can also fulfil its collective defence duties in thedigital domain makes a direct and essential contributionto the national (digital) security of the member states. Inaddition, it will only be possible to achieve some of theobjectives of the NCSA through international legislation,the formation of coalitions or the internationaldevelopment of norms and standards, at European levelin particular. The cross-border nature of threats creates aneed to commit strongly to international cooperation.The National Cyber Security Agenda, in combination withthe Integrated Foreign and Security Strategy(Geïntegreerde Buitenland- en Veiligheidsstrategie) and theDefence Memorandum (Defensienota) provide guidancefor the further development of Dutch efforts ininternational forums. On the one hand, this applies tothose effects and results that can only be achieved atinternational level and on the other hand theinternational developments will also have to be takeninto account in the effective shaping of Dutch policy. Keyexamples are European developments in the field ofcertification, developing standards and stimulating theEuropean Digital Single Market, of which cybersecurity isa part. The Netherlands continues to play its role ofinternet pioneer in topics such as the fragility of opensource software.

TENSION BETWEEN INTEREST REQUIRE CAREFULCONSIDERATIONFar-reaching digitalisation often puts pressure on thebalance between the core values of security, freedomand economic growth. The Netherlands is committed toclear consideration of the interests in making (policy)choices and tries to be transparent when doing so. In the

wider social and political debates about digitalisation,cybersecurity cannot be approached in isolation butmust expressly be considered in conjunction with topicssuch as fundamental rights and values and social growth.Clear and transparent consideration of the tensionbetween interest results in better decision-making.


The Dutch approach to cybersecurity has the followingobjective:The Netherlands is capable of capitalizing on the economicand social opportunities of digitalisation in a secure way andof protecting national security in the digital domain.

We are therefore committed to the following ambitions:1. The Netherlands has adequate digital capabilities to

detect, mitigate and respond decisively to cyberthreats

2. The Netherlands contributes to international peaceand security in the digital domain

3. The Netherlands is at the forefront of digitally securehardware and software

4. The Netherlands has resilient digital processes and arobust infrastructure

5. The Netherlands has successful barriers againstcybercrime

6. The Netherlands leads the way in the field ofcybersecurity knowledge development

7. The Netherlands has an integrated and strong public-private approach to cybersecurity

The impact of technological and social developmentsand the digital threat are developing at different speedsand this requires a dynamic, long-term approach tocybersecurity. Many of these measures require agovernment contribution. Some other measures canonly be taken with or by the market parties. Thisrequires close cooperation in the development of theNCSA. The measures are not exhaustive. There is scopefor additions. This leads to a dynamic approach that canbe adjusted to match the development of the threat. Itis also why the annual Cyber Security AssessmentNetherlands will consider if this approach needs to berecalibrated and if policy instruments contribute to therealisation of the ambitions. The Agenda will beevaluated in 2021 and revised where necessary.

Coalition agreement An ambitious cybersecurity agenda will beformulated with, among other things, standards forinternet of Things devices, software liability,strengthening the NCSC, promoting cybersecurityresearch and improving information campaigns.

Ninety-five million euros of structural funding isbeing reserved for cybersecurity. The resources willbe used for, among other things, improving staffcapacity and expanding ICT facilities and will beshared by the departments of Justice and Security(NCTV), Defence (MIVD), Interior and KingdomRelations (AIVD), Foreign Affairs, Infrastructure andthe Environment and Economic Affairs.

The structural intensification of cybersecurity hasbeen integrated into the measures in this NCSA.

The National Cyber Security Agenda

The Netherlands is capable ofcapitalizing on the economic and social opportunities ofdigitalisation in a secure way and of protecting national interests in the digital domain

1. The Netherlands hasadequate digitalcapabilities to detect,mitigate and responddecisively to cyberthreats


To respond effectively to the growing digital threat,government bodies and private organisations in theNetherlands must cooperate and have appropriatecapacities and resources. A number of theseorganisations are still developing those capacities andthey are at various levels of maturity. While some (larger)businesses and organisations are arranging their ownsecurity operations center or computer crisis team, other(smaller) businesses or organisations are only just or notsufficiently aware of digital risks. Protection of their owndigital systems and information by these public andprivate parties is not yet a given and basic securityregulations have not yet been implemented .

Sufficient capabilities also include the capacity of securityorganisations which must be able to carry out their tasksfor national security in the digital as well as the physicaldomains. This is closely tied-in with the offensivecapabilities of Defence, which are covered underAmbition 2.

There is an urgent need to build up capabilities, for more

and better tailor-made information about digital threats,which is available to government bodies and privateorganisations more swiftly and for perspective for actionfor mitigating those threats. The exchange ofinformation between organisations and businesses inthe Netherlands has improved greatly in recent years as aresult of cooperation on incidents or because partieshave come to know each other and started trusting eachother. Although this is a step in the right direction, it stilldoes not provide sufficient guarantees that we canaddress digital threats now and in the future. The nextstep is to structurally guarantee the exchange ofinformation and existing cooperation while at the sametime expand the range, for instance by promoting cross-sector analyses. There is a need to improve the detectionand response capabilities of government organisationsand providers of critical services. By doing so, we willincrease the digital capabilities of these parties as awhole. We must adopt a practice in which customers andsuppliers encourage each other to arrange their digitalsecurity. In this way, we will work towards a cyberecosystem in which all parties build up capacities and

The Netherlands has adequatedigital capabilities to detect,mitigate and respond decisively to cyber threats


share information; from the business community topublic authorities and from individual citizens tocybersecurity professionals.

OBJECTIVES• Public authorities and businesses are capable of

responding appropriately to digital threats andattacks. To do this, they implement the necessary(preventative) measures and they have the basics inorder.

• The Netherlands is prepared for large-scale cyberincidents which pose a threat to national security.

• Organisations of vital importance to national securityhave a better understanding of digital threats andattacks and are capable of detecting attacks thatthreaten themselves and national security.

• A nationwide network of cybersecurity partnershipswill be created within which information aboutcybersecurity can be shared between public andprivate parties more widely, efficiently and effectively.The aim of this nationwide network is to strengthenthe capabilities of public and private parties.

• The legal instruments for effective action in the digitaldomain remain in order and are kept up to date inlight of the threat and technological developments.

MEASURESo The incident response capabilities of, amongst others,

the intelligence and security services, DefenceComputer Emergency Response Team (CERT), theNational Cyber Security Center (NCSC) andRijkswaterstaat (Directorate-General for Public Worksand Water Management) are being enhanced to beable to deal with ICT breaches that threaten nationalsecurity. In addition, the creation of more privatesector-wide computer crisis teams, such as Z-CERT(for the care sector) and I-CERT (for the insurancesector) is encouraged.

o The critical processes in our society demand extraprotection and accelerated recovery in the event offailure or damage. It is therefore important that theseorganisations ensure that they have an appropriateresponse capacity or that they have agreement inplace for this with a trusted third party. To this end,the development of a certification system forcybersecurity service providers, from whom secure

services can be acquired, will be explored with privateparties.1

o The Netherlands must be prepared for large-scalecyber incidents that threaten national security. TheNational Crisis Plan for ICT (Nationaal Crisisplan ICT) willbe being updated. In addition, an integrated ICTemergency exercise policy will be formulated. It willinclude arrangements between government bodiesand private organisations on a joint exercise agendaand the available capabilities of the parties involvedfor this.

o The capabilities of the intelligence and securityservices, DefCERT and the NCSC to gain insight intothreats and digital attacks, to detect them, disruptthem and increase resilience will be improvedstructurally. To ensure this, the government hasallocated additional funding in recent years and in thecoalition agreement. The National Detection Network[Nationaal Detectie Netwerk, NDN] will be furtherenhanced to create a future proof network.

o Situational awareness at the national level will beenhanced by the creation of a cooperation platform2

with the goal to offer more information and a swifterperspective for action with relevant organisationswithin the legal frameworks. When doing so,attention should also be paid to cybersecurityrequirements. Recipients need to have a certain levelof maturity to enable information sharing.

o Under NCTV coordination, round table discussions areorganised in which the nationwide network ofcybersecurity partnerships can be developed. This willbuild on the experiences from existing public andprivate cybersecurity partnerships.

o The National Cyber Security Center (NCSC) and theDigital Trust Centre3 (DTC) will encourage – andsupport where necessary – the creation and furtherdevelopment of cybersecurity partnerships for publicauthorities, the business community and civil societyorganisations. This will also include the creation of aset of basic security measures for the businesscommunity and civil society organisations.

o Legislation aimed at protecting national security willbe reviewed to what extent it provides satisfactorypossibilities to promote security in the digital domain,whilst retaining fundamental values and privacy.

1 Please also see the objectives and measures on pages 27-28.

2 The possibilities for developing this cooperation platform, with which parties and the form it should take will be explored further.

3 Letter to Parliament ‘Setting up the Digital Trust Centre’, 23 September 2017.


More and more frequently, state actors employ digitalresources for espionage, influencing and sabotageobjectives as an integral part of their range of instrumentsto exert power, or in concrete conflict situations. Therehas also been an increase in the number of countries thatare building offensive, military cyber capabilities. Thisthreat has grown significantly in recent years and is aserious threat to international security.

At an international level, there are strong divisionsbetween various countries in the approach to the cyberdomain. There are differences of opinion on theapplication of international law, norms of behaviour incyberspace and the dependence on and access to digitalresources. Moreover, the decentralised nature of theinternet and the opportunities the internet provides foranonymous action impede the enforcement andsupervision of agreements that have been made. Due inpart to the fact that attribution is difficult in the cyberdomain, such cyber operations can pose a threat tointernational legal order. The Netherlands should alsohave its own capabilities and instruments to be able toresolutely avert digital attacks on our national interestsand – in extremis – to retaliate proportionately.

OBJECTIVES• The Netherlands promotes the international legal

order in the digital domain, including safeguardinghuman rights.

• The Netherlands is able to respond immediately andappropriately, alone or as part of a coalition, to digitalattacks by state actors and has offensive capabilitiesthat contribute to deterrence.

• The Netherlands contributes to the mitigation of cyberthreats from criminals and state actors, by investing in

the development of capabilities of the globalcybersecurity chain.

MEASURESo The Netherlands will bolster the application of

international law in cyberspace, promote additionalnorms and build trust between states and otherparties. The Netherlands continues to build andbroaden the international coalition which subscribes tothe vision of an open, free and secure internet. TheNetherlands will do this by promoting the furtherinterpretation and application of international law inthe digital domain, for instance in the field of humanrights, humanitarian law and the framework forcombating cybercrime, and for the protectiontelecommunications and critical infrastructure. Inaddition, confidence building measures betweenstates and the further development of norms will beencouraged. The Global Commission on the Stability ofCyberspace has already made an importantcontribution to this.

o The Netherlands will develop a broad strategicframework for responding to digital attacks. It willinclude all available instruments, including (public)attribution, deterrence, use of offensive capabilitiesand a broader response in the cyber domain. To thisend, the Netherlands will strengthen the diplomaticand political response to disruptive or destructivecyber operations by state actors. The framework willbe followed with a suitable range of instruments for adiplomatic response. This ties in with the cyberdiplomacy network and the toolbox for diplomaticaction in the event of cyber incidents developed by theEuropean Union. The Netherlands played a leadingrole in this.

The Netherlands contributes tointernational peace and security in the digital domain

2. International peaceand security in thedigital domain


o To deter (potential) adversaries, the Netherlands willfurther enhance the offensive cyber capabilities of itsarmed forces. In doing so, we contribute to thedevelopment and operationalisation of the capabilityto act in the digital domain at EU and NATO level. Thiswill also serve to support military missions andoperations in the physical domain.

o The Netherlands makes a significant contribution to afree, open and secure internet and promotes adequateprotection of human rights online, for instancethrough the development of norms. This will, in part,be shaped by the further development of the FreedomOnline Coalition.

o The Netherlands strengthens the global cybersecuritychain by improving the security level of third countriesand by reducing the digital divide betweentechnologically advanced countries and those lessadvanced. Strategic capacity building projects arefacilitated through the Global Forum on CyberExpertise (GFCE) and the international multi-stakeholder coalition for an open, free and secureinternet will be expanded.


As a result of the introduction and continuousdevelopment of the Internet of Things, more and moredevices are connected to the internet. Some 20.4 billiondevices are expected to be connected in 2020. At least63% of them will be consumer devices.4 The remaining37% are devices used by businesses and for which theimpact in case of disruption or misuse (on businesses’own processes, but also further along the chain) ispotentially much greater than in case of private use.

It is important that everyone is able to use theseproducts with confidence in a digitally secure manner,not only for their own digital security, but for that ofsociety as a whole. Malicious parties can easily gainaccess through vulnerabilities in hardware and softwarein a device, and through this device to the network it ispart of.

Users and providers of digital products often do not orbarely consider the potential harmful effects of theiractions on others. This can have serious consequences,such as the misuse of the device for DDoS attacks,manipulation of the device or the theft of storedinformation.

Digital security of hardware and software is not ensuredby default. Hardware and software providers do notalways resolve the security risks that are associated withtheir processes and production. Users have hardly anymeans of making a reliable assessment of the digitalsecurity level of a device that is connected to the internet- and even if they do have the knowledge, it is stilldifficult to make an assessment. For instance, it isdifficult for users to assess the long-term impact of theirdecisions. Very often, specialist knowledge is needed tofully understand the digital security of a device. Userstherefore need to be empowered. This is done by

providing instruments, aimed at the behaviour of users,to make an estimation of the digital security of hardwareand software. Research into the effectiveness ofinformation campaigns on secure user behaviour playsan important role in this regard.

OBJECTIVESA cohesive set of measures is needed to encourage andenhance the digital security of hardware and software ina balanced way, and for which various parties have aresponsibility. This why the Netherlands will implementand further develop the Roadmap for Digitally SecureHardware and Software (Roadmap Digitaal Veilige Hard-en Software).5 The following objectives apply here:• The Netherlands will encourage standardisation and

certification initiatives and by strengtheningsupervision and enforcement, in order to preventdigital security risks in hardware and software.

• The Netherlands will work to improve the detection ofdigital security risks by testing digital products andmaking the digital security risks clear.

• The Netherlands will work on mitigating of digitalsecurity risks through a liability regime, and byincreasing awareness and by offering a perspective foraction for citizens and businesses.

• The Netherlands will strive to for the realisation of aset of basic principles to foster the digital security ofhardware and software.

MEASURES o Standards and certification make an important

contribution to the digital security of hardware andsoftware.

o In the negotiations in Brussels, the Netherlands willadvocate the quick adoption of the Cyber Security Act(CSA), and the expeditious development of aEuropean framework for security certification for ICT

4 https://www.gartner.com/newsroom/id/3598917.

5 Roadmap Digitaal Veilige Hard- en Software [Roadmap for Digitally Secure Hardware and Software Roadmap], Ministry of Economic Affairs and Climate Policy, 2018.

The Netherlands is at the forefront of digitally secure hardware and software

3. Digitally securehardware and software


o Awareness and empowerment make an importantcontribution to the digital security of hardware andsoftware because, among other things, as a resultproviders can take digital vulnerabilities into accountand users are aware of the possible risks. As part ofthe cybersecurity awareness campaigns byveiliginternetten.nl, the government will launch oneor more policy-supporting public campaigns fordigitally secure hardware and software.


products and services. In the short term, thegovernment will advocate the adoption ofmandatory certification for specific product groups.That is, for products where the risk is greatest orproducts that have many problems in practice. In thelong term, there must be a gradual expansion ofmandatory certification or compliance with a CEmark for all internet-connected products should beimplemented.

o In addition, the Netherlands will encourage theadoption of international standards, partnershipsand frameworks. The Netherlands wants toproactively join relevant European and globalstandardisation and certification initiatives throughthe NEN standardisation platform. The Netherlandsis also going pursue multilateral cooperation onstandardisation for the Internet of Things, amongstothers through the Global Forum on Cyber Expertise(GFCE).

o Together with public and private parties, thegovernment will develop a monitoring system withinformation about the digital security of digitalproducts, with specific attention to Internet of Thingsdevices. The government will include internationalexperiences in this.

o The government will enter into discussions withinternet access providers about how they willcontribute to combating insecure Internet of Thingsdevices – analogues to the successful approach tobotnets. Product testing is crucial to gain assuranceson the digital security of devices. Based on use casesfrom various sectors, a pilot will be launched to gainknowledge and understanding on what a sharedtesting platform can offer.

o The development and commercialisation ofinnovative solutions can make an importantcontribution to making hardware and softwaredigitally secure. Through the National Cyber SecurityResearch Agenda III (NCSRA III), which is due to bepublished in 2018, the Netherlands will pursue thedevelopment of cybersecurity research aimed at thedevelopment and commercialisation of innovativesolutions. In addition, various research tenders that

contribute to new, innovative, digitally securehardware and software are ongoing as a result ofapplication of the Small Business InnovationResearch (SBIR)6. Furthermore, the governmentencourages open-source encryption by makingadditional resources available for this within theframework of NCSRA III. Finally, the government willorganise dialogue sessions on innovative solutions tokeep hardware and software secure or whether somesolutions should be discontinued. This also refers toobjectives under Ambition 5.

o Liability is an important financial incentive forsuppliers to make and keep their hardware andsoftware secure. The government is discussing focusareas, areas of improvement and potential solutionsfor liability with regard to digitally insecure hardwareand software with stakeholders and academics. Inaddition, the Netherlands is actively participating inthe liability and new technologies experts group andinvolves the contribution of Dutch stakeholders inthis process. Furthermore, in the negotiations on theProposal for a Directive on Digital Content andDigital Services, the Netherlands proposes to includean obligation to make security updates mandatory inall cases involving software supplied to a consumer.

o Setting minimum security requirements can keepinsecure products off the market. The governmentwill investigate which minimum requirements couldbe set for devices through the European RadioEquipment Directive.7

o The government will investigate what additionalmeasures are needed and desirable for the digitalsecurity of hardware and software when procured bycentral government.

o Supervision and enforcement encourages suppliersto comply with laws and regulations. Thegovernment will organise a national dialogue sessionfor supervisory bodies to see what role they can playin the near future to promote the digital security ofhardware and software, to create synergy betweenthe various activities of the supervisory bodies and toexamine how cooperation between supervisorybodies can be improved.

6 SBIR benut de creativiteit van ondernemers om maatschappelijke problemen op te lossen en daagt ondernemers uit om nieuwe producten te ontwikkelen en op de

markt te brengen, zie https://www.rvo.nl/subsidies-regelingen/sbir.

7 Kamerstuk 26643, nr. 467 en Kamerstuk 24095, nr. 415.


ICT is becoming increasingly interwoven with Dutchsociety. One of the consequence of this is that theoperations of businesses and public authorities arebecoming increasingly data-driven through intelligentapplications. Organisations are often no longer capableof carrying out all of the tasks themselves. They operatein chains. They depend on other organisations for,among other things, supplying the data or for carryingout or supporting their data processing. This is notwithout risk. Business processes can be disrupted if datais not exchanged with other organisations in a secureand reliable manner. When this occurs in the chains ofproviders of critical processes, it can lead to majorsystem failure, damage to physical security and societaldisruption. Problems could arise with the physicalinfrastructure or with the protocols and the software fordata exchange. Finally, the parties that provide dataprocessing services may cease to exist or fall short.

Due to the importance of the availability (or continuity) ofdata communications networks, specific requirementsare set for the providers of such networks, amongstothers through the Telecommunications Act[Telecommunicatiewet] and the proposed legislation forthe Cybersecurity Act [Cybersecuritywet, CSW].8 Theirobjective is that such providers make their systemsresilient to various threats and incidents, including thosethat could lead to failure of the physical infrastructure.The CSA also creates the obligation to implement suitabletechnical and organisational measures for all providers ofan essential service and digital service providers.Implementation of this will be overseen by the sectoral

supervisory bodies. This will further increase the securitylevel of providers and create the possibility to take firmaction against vulnerable (not appropriately protected)information systems. The CSW replaces and adds to theDutch Data Processing and Cybersecurity NotificationObligation Act [Wet gegevensverwerking en meldplichtcybersecurity, WGMC] already in effect, which amongother things stipulates that the NCSC is tasked withproviding advice on cybersecurity to central governmentand providers of critical services. This Act also providesthe opportunity to inform a relevant Minister in thosecases where a government body or provider of criticalservices does not deal with the recommendations fromthe NCSC adequately. The Dutch government expects allorganisations to be able to respond appropriately whenthe continuity of their services is at risk. It is alsoimportant that outdated software and hardware isreplaced in good time (legacy issues).

To ensure effective and unhindered data exchange, thesoftware and protocols for worldwide exchange of dataalso require attention and maintenance. This ofteninvolves what is known as open source software which isusually developed by communities of volunteers. As aresult, they often lack the capabilities or resources formaintenance and/or professional review of the quality ofthe software. Other software developers also use opensource software as building blocks for their work, furtherincreasing the dependence on this software.The quality of paid software and the security of hardwarecomponents is equally important to the effective andunhindered exchange of data. This is addressed in

8 The Cybersecurity Act stems from the EU Directive on Security of Network and Information Systems (NIS Directive) and was submitted to the House of Representatives in

February 2018.

The Netherlands has resilient digital processes and a robustinfrastructure

4.Resilient digitalprocesses and a robust infrastructure


o Together with private parties the development of acertification system for cybersecurity providers will beexplored so that public authorities and private partiesknow who they can acquire secure services from.


Ambition 3. Some popular protocols for data exchangevia the internet are decades old and are no longerresistant to contemporary attacks. Improved versions ofold internet standards (such as IPv6, or HTTPS) are beingadopted very slowly and as a result the drawbacks of theold versions (IPv4 and HTTP) will continue to be an issuefor some time.

Businesses and public authorities depend on otherorganisations for their data processing, including cloudproviders and their customers, public authorities whomake open data available and certificate providers whoguarantee the integrity of data exchange. The Dutchgovernment aims to make important (chain)interdependencies between organisations transparentbut realises that it is not feasible to have a full grasp ofthese at all times. The Dutch government is thereforecalling for all organisations to be able to respondappropriately when the continuity of their services is atrisk. The Digital Trust Center, currently in development,aims to help parties in this regard by raising awarenessand offering perspectives for action. The center will dothis in consultation with the NCSC and various otherparties, including small and medium businesses. Whereorganisations want to use the services of cybersecurityservice providers, it is important that also they deal withcomputer networks and sensitive information in aprofessional manner and with integrity. Many Dutchorganisation are dependent on a limited number offoreign digital infrastructure service providers, whichmeans that the impact of disruption is severe.

Example: HeartbleedHeartbleed was a vulnerability in the OpenSSLprogramming library, which was discovered in 2014.At the time, the vulnerability had already beenpresent in this commonly used software for twoyears. Many web servers, VPN servers, mail serversand other applications use OpenSSL to establishsecure connections. Other devices can also useOpenSSL. Examples include appliances, routers, WiFiaccess points and some applications on client systems.By exploiting Heartbleed, attackers could read theinternal memory of systems remotely. This exampleunderlines the fact that a vulnerability in open sourcesoftware can have major consequences for thecybersecurity of the business community, publicauthorities and citizens.

OBJECTIVES• All relevant parties will be involved in ensuring the

continuity and digital resilience of critical processeswhich increases the resilience of the entire chain.

• The Netherlands aims to improve the quality of opensource software and the accelerated adoption ofmodern internet protocols and internet standards.

• The Dutch government promotes an innovativecybersecurity climate in which secure ICT productsand services are developed and adopted.

MEASURESo In addition to existing obligations for

telecommunications providers under theTelecommunications Act, the proposal for theCybersecurity Act greatly increases the number ofproviders of critical services subject to duty of carerequirements and an obligation for notification.Sectoral supervisory bodies will supervisecybersecurity in sectors in critical infrastructure, whichwas not done up to now, and they will be given theinstruments to do so.

o In addition to the above, these supervisory bodies,together with the responsible ministries, will developa method for identifying dependency relationships ofproviders of critical services for their own data-drivenoperating processes.

o Research will be conducted into whether additional(European or international) measures are needed tomitigate the impact of disruption of the services of alimited number of foreign providers of digitalinfrastructure upon which many Dutch organisationsdepend.

o Open source software fulfils a central role in theexchange of data between organisations. The Ministryof Economic Affairs and Climate Policy, in closecooperation with the NCSC, will review how thecommunities that develop and maintain open sourcesoftware can be supported to improve the quality ofthe software.

o The government ensures that suppliers incorporatemodern internet protocols and internet standards intheir products and services, in part through agenda-setting in Europe.

o The government, as a launching customer, usescybersecurity requirements when procuring ICTproducts and services and strongly advices providersof critical services on this matter.


EXAMINATION OF THE PROBLEMCriminals pursue their activities on a large scale via theInternet: one in nine people were victim of cybercrime in2017. The term cybercrime covers a broad range ofcriminal actions, from classic crime in digital form to newcrime. This involves, for instance, hacking computers totransfer money to criminal bank accounts or turning oncameras and microphones undetected to be able to spyon people in their own surroundings. Professionalcriminals primarily target private organisations andcitizens to steal data which can then be sold-on orpublished.

Threats to national security within the framework ofcybersecurity are often criminal acts targeting digitalinfrastructure and the devices connected to it. Theapproach to these crimes primarily focuses on newcrime, or cybercrime in a strict sense. The approach tocybercrime focuses on the prevention and combating ofcrimes and on limiting the number of victims,perpetrators and recidivism rates. This concerns bothhightech crime and common crime. Digital investigationis also important in more classical crimes in which theinternet is a tool, such as the drugs trade and fraud.These types of crime are outside the scope of thisstrategy.

The efforts to strengthen cybersecurity and tacklecybercrime are implemented in conjunction with eachother, and nowhere more explicitly so than in the field ofpreventive measures.

Secure hardware and software is an important barrier inthe prevention of digital threats. When this hardwareand software is exploited because of vulnerabilities, itencourages cybercrime. Security of this software and

hardware is extremely important and this will have to bedeveloped together with the providers of hardware andsoftware. This is set out in greater detail in Ambition 3 ofthe NCSA. This applies in equal measure to the secureuse of hardware and software by citizens andbusinesses. This is also set out in Ambition 6.

In addition to this, the National High Tech Crime Unit(Dutch National Police) and the Public ProsecutionService's National Unit have gained considerableexperience in countering advanced threats to nationalsecurity in recent years. The knowledge and expertisethey have gained will be used in the approach tocybercrime. Cybercriminals keep on developing theirmethods. The powers of the Police and the Ministry ofJustice must keep in step.

OBJECTIVES• There are effective barriers that resist cybercriminals.• The efforts to strengthen cybersecurity and tackle

cybercrime are implemented in conjunction with eachother. Cooperation between public authorities andthe business community, citizens and civil societyorganisations is extremely important in this respect.

• For cybersecurity, it is important that investigativepowers keep step with the developments in theworking methods of cybercriminals so that threats tonational security can be addressed.

MEASURESo Following acceptance by the Dutch Senate, Computer

Crime Act III will be implemented expeditiously. Thiswill strengthen the Police and the Ministry of Justice'scapabilities to investigate digital attacks by criminals,on critical sectors for instance. The Act will beevaluated two years after coming into effect.

The Netherlands has successfulbarriers against cybercrime

5. Successful barriersagainst cybercrime


o Proposals will be developed to make citizens andbusinesses more digitally skilled so that there arefewer opportunities for cybercrime. Please also see theobjectives and measures in Ambition 6.

o The use of secure hardware and software isencouraged to prevent cybercrime. Please also see theobjectives and measures in Ambition 3.

Integrale aanpak cybercrime Investigating cybercriminals and disrupting theirrevenue model contributes to cybersecurity. Thecurrent approach to cybercrime focuses oninvestigating, prosecuting and disrupting crimes,prevention, and strengthening laws and regulations.This approach will be continued and intensified. Inaddition, new elements are being added, such aspreventative measures for potential perpetrators andvictims, a possibly different form of support forvictims, an approach to perpetrators to preventrecidivism and knowledge development for policy-making in the longer term.


Knowledge is an extremely important asset in theNetherlands. Dutch society, and digital security inparticular, depends on the development and use ofknowledge, which is why ambitions in the field ofknowledge development are essential in the NCSA.

There is an urgent need to maintain and deepen high-quality cybersecurity knowledge development in theNetherlands. Intensifying sufficient and high-qualitydevelopment of both fundamental and appliedcybersecurity research is crucial in this regard.Cybersecurity knowledge development is needed to beable to implement measures to avert existing and newdigital threats. Moreover, high-quality autonomousknowledge helps to avoid over-reliance on cybersecurityexpertise and cybersecurity solutions from othercountries. Cybersecurity knowledge development doesnot only apply to natural sciences, but to arts andhumanities and social sciences as well. It concerns bothmonodisciplinary and interdisciplinary research intoshort and long term solutions. When doing so, it isextremely important for such research to cover the entireknowledge chain.

Cybersecurity research in the Netherlands is of a highstandard. Numerous parties, such as universities,universities of applied sciences, the NetherlandsOrganisation for Scientific Research [NederlandsOrganisatie voor Wetenschappelijk Onderzoek, NWO],businesses and central government, are investing in thisresearch. Successive editions of the National CyberSecurity Research Agenda (NCSRA) have formed animportant framework for cybersecurity in recent years.As a result of investments in cybersecurity research in

neighbouring countries, a multi-year boost forcybersecurity research is needed in the Netherlands tomaintain talent, and thereby our own knowledgeposition in the area of cybersecurity.

In addition, there is a growing demand from the businesscommunity and public authorities for innovativesolutions to cybersecurity issues and well-trainedpersonnel. This shortage on the labour market leads toscarce cybersecurity knowledge in organisations, whichmakes them insufficiently resilient to digital threats.

It is equally important that citizens and businesses alsocontinue to develop their knowledge to protectthemselves against digital threats. In addition to its taskin the field of cybersecurity research, Dcypher9 (set up bythe Ministry of Justice and Security, Ministry ofEducation, Culture and Science, and the NetherlandsOrganisation for Scientific Research [NederlandsOrganisatie voor Wetenschappelijk Onderzoek, NWO] in 2016)was also given a task in the field of cybersecurity highereducation. It has charted the field of higher education inthe Netherlands, which has facilitated mutualcomparisons of degree programmes and the assessmentof the skills of recent graduates who are entering thelabour market. A next essential step, is an analysis of thedifferences between the curricula (supply) and therequirements for well-trained personnel (demand).European cooperation in this field is being pursued.Sufficient teaching capacity (in all disciplines concerned)requires further attention.

Digital literacy is now part of the curriculum for primaryand secondary education but given the risks to (young)

The Netherlands leads the way in the field of cybersecurity knowledge development

9 Dcypher is the platform that unites researchers, lecturers, producers, users and policy-makers in the Netherlands to improve knowledge about and expertise in cybersecurity.

6.Cybersecurityknowledgedevelopment


children there is a need for the educational field tocontinuously renew and anticipate developments. Theagreed revision of the curriculum (where digital literacyis one of the themes) is being pushed forward togetherwith teachers, pupils and parents, educationalinstitutions and the professional field. This revision ofthe curriculum will become law from 2019 onward.

There is still a need for current generations to catch up.Research10 has revealed that citizens and businesses arestill not sufficiently aware of the dangers of digitalactivities and the measures that they can implement toavoid becoming a victim in the digital domain. In recentyears the business community and the government havealready invested heavily in the awareness of the generalpublic and smaller businesses to digital threats andperspectives for action have been offered, amongstothers through veiliginternetten.nl and Alert Online butalso through campaigns such asmaakhetzeniettemakkelijk.nl (‘boefproof’) [don’t make iteasy for them (‘crook proof’] or veiligbankieren.nl (‘hang op,klik weg’) [safebanking.nl. (hang up, click away]. Theeffects of these various efforts can be improved by morepublic-private cooperation and by introducing cohesioninto communications campaigns in the public domain.This also applies to the efforts by employers to maketheir employees digitally skilled and keep them up-to-date. When doing so, there is a need to develop a guidecontaining basic security measures for both citizens andsmaller businesses. This set of security measures doesnot protect against all conceivable digital threats but isan important step that citizens and small businesses cantake to further develop their digital skills.

OBJECTIVES• The Netherlands conducts high-quality cybersecurity

research.• The Netherlands has a long-term knowledge

development programme under which the academiccommunity develops and improves high-qualityknowledge, and there are sufficient academicsavailable to acquire an independent knowledgeposition in the area of cybersecurity.

• Citizens and businesses are able to see theimportance of addressing digital threats and becomemore resilient to cybercrime.

MEASURESo The Netherlands will invest structurally in

fundamental and applied cybersecurity research. Thiswill take the form of a multi-year public-privateapproach, as a boost for high quality cybersecurityknowledge development. The way in which variousinitiatives, programmes and instruments relating tocybersecurity research can be better aligned with eachother will be investigated to this end. TheVerhoeven/Rutte11 motion will be included in this. Inanticipation of this investigation, a financial incentivefor cybersecurity research will be organised first.

o Digital skills, including media-literacy andcybersecurity are explicit focus areas in the integralreview of the primary and secondary educationcurriculum. Proposals for this will be developed in2018 and will be evolved into laws and regulationsfrom 2019 onwards. Schools will be supported byKnowledge Net [Kennisnet] (which is funded by theMinistry of Education, Culture and Science) inanticipation of this.

o The government encourages the business communityand civil society organisations to further develop thedigital skills of employees and citizens and ensuresthe continuity and cohesion between variousawareness campaigns to increase their effect. Whendoing so, the latest insight in behavioural sciences wilbe taken into account.

10 National Cybersecurity Awareness study 2017 [Nationaal cybersecurity bewustzijnsonderzoek 2017], Alert Online and HM Government et. al. A call to action: The Cyber

Aware perception gap, 2018.

11 The Verhoeven/Rutte motion asks the government to explore the possibility of setting up an institute for research in the field of cybersecurity (Parliamentary Papers II,

2017/18, 34 775 VI, No. 68).


In recent years, the public, private and public-privatesectors have taken various initiatives to improvecybersecurity in the Netherlands. The course and speedof the approach needs to be coordinated to safeguardthat direction. Coordination can and must be strongerand that, of course, is up to the government. As thecoordinator, the NCTV takes the lead in promoting andensuring the improvement of cybersecurity in a cohesivemanner, in conjunction with all the parties involved(public authorities, business community, science, civilsociety). However, the government cannot do this on itsown. All parties may and must be expected to accepttheir responsibilities and contribute to make and keepthe Netherlands digitally secure as part of a concertedeffort. The approach can only be successful if it isdesigned, further developed and evaluated in closepublic-private cooperation. The increasing complexityand breadth of the cyber domain require continuousclarification of the roles and responsibilities of thevarious parties involved. This should also help toidentify successful market initiatives and link them tothis Agenda. For instance, cybersecurity is included inthe Corporate Governance Code and as such is a topicduring audits and reviews. And on the private side, thereis also a need for more cohesive efforts in the integratedDutch approach to cybersecurity.

The importance of information security andcybersecurity to public authorities is growing, becausecitizens and businesses are increasingly using theirservices from public authorities digitally. Failure,sabotage to or disruption of digital services willtherefore directly lead to damage to critical serviceprovision processes. To optimise the digital servicesprovided to citizens and businesses by the government

and to be able to guarantee high-quality services, it isessential for public authorities to keep investing ininformation security and cybersecurity and to prioritisethe availability and continuity of services. In addition toservices, digitalisation also has an impact on publicvalues and human rights and ensuring them in theinformation society. In addition to the secure provisionof services to citizens and businesses, the governmentalso needs to have and keep its own informationsecurity in order and be resilient to digital attacks. TheBroad Agenda for Digital Government (Ministry of theInterior and Kingdom Relations, BZK) discusses thesetopics in greater detail, as well as the measures thegovernment will take, at an inter-governmental level, tostep up its efforts on information security andcybersecurity.

OBJECTIVES• The coordinating role of the government in the

integrated approach to cybersecurity will bestrengthened.

• Dutch businesses, citizens and governmentorganisations implement their responsibilities, rightsand obligations with regard to cybersecurity.

• For the information security of the digitalgovernment, there is a coherent package of measuresto enhance the information security for the digitalbasic infrastructure, to further standardise andharmonise frameworks of norms on informationsecurity, including the creation and implementationof a Government Information Security Baseline[Baseline Informatiebeveiliging Overheid]. In this regard,attention will be paid to reducing administrativeburdens on municipalities for information securityand to bundling audits and assessments in a single


The Netherlands has anintegrated and strong public-private approach to cybersecurity

7. Public-privateapproach tocybersecurity


chain of accountability. Amongst other measures,information security and cybersecurity will beembedded in the Digital Government Act [Wet DigitaleOverheid].

MEASURESo The strengthened coordination of the integrated

approach is the responsibility of the NCTV.o A cybersecurity alliance will be formed which

commits public and private parties to implement themeasures from the NCSA.

o Progress of the approach to cybersecurity will bemonitored under the coordination of the NCTV and incooperation with all parties involved, and wherenecessary will be recalibrated based on technologicaland social developments. There will be an integralevaluation of the Agenda in 2021.

o Cooperation between public authorities and thebusiness community will be reinforced by creating anationwide network of cybersecurity partnerships.The principle of big businesses helping smallbusinesses will be part of the framework. There isscope for different modalities in public-privatecooperation.

o A coherent package of measures for informationsecurity and cybersecurity in public administrationwill be addressed in the Broad Agenda for DigitalGovernment. These measures will be coordinatedfrom the Government-wide Digital GovernmentPolicy Forum [Overheidsbrede Beleidsoverleg DigitaleOverheid, OBDO].

This publication was issued by the NCTV on behalf of central government. [email protected]

National Cyber Security Agenda - ENISA · A cyber secure Netherlands National Cyber Security Agenda...

Documents

Transcript of National Cyber Security Agenda - ENISA · A cyber secure Netherlands National Cyber Security Agenda...