The text on this page was automatically translated and hence may differ from the original. No rights can be derived from this translation.
In order to strengthen the digital capabilities of public and private parties in the Netherlands, efforts have been made in recent years to establish a national system of cybersecurity cooperation agreements. Within this system, information on cybersecurity is shared more widely, efficiently, and effectively. With the National Cyber Security Centre (NCSC, part of the Ministry of Justice and Security), the Digital Trust Centre (DTC, part of the Ministry of Economic Affairs and Climate), and the increasing number of collaborations, this national system is becoming more and more a reality. However, there are still target groups in the non-vital sector (such as SMEs) that may not receive certain desired information or may not know where to find it, posing a risk to the cybersecurity of these parties. Research agency Dialogic investigated this on behalf of the WODC.
The research made a distinction between two types of cybersecurity information: informational (information and advice on cyber resilience) and threat information (information on threats or vulnerabilities related to certain businesses or software). The target groups, needs, and legal limitations concerning these two types of information are not the same, leading to differing conclusions and possible measures as well.
Need for Informational Content
The research reveals that there is a need among SMEs and self-employed individuals for information and advice on cybersecurity, such as a basic scan of their cybersecurity. It also shows that the DTC currently meets a significant portion of this need, but that parties are not aware of it. One of the recommendations in the study is therefore to develop a communication strategy to enhance awareness and accessibility of the DTC as a central point for cybersecurity.
Need for Threat Information
Sharing threat information is often problematic due to legal restrictions on sharing personal data and identifiable confidential information. As a result, threat information relevant to the non-vital sector tends to stay with the NCSC. Ultimately, the group of non-vital cyber-mature companies is currently not adequately provided with the desired information. This group has limited access to the information they believe is necessary to function cyber-resiliently.
Legal Developments
In the long run, the DTC could become the primary actor for threat information for non-vital parties by ensuring that the DTC receives information from the NCSC and passes it on to relevant companies and collaborations. However, it is unclear when the necessary legal basis of the DTC will be finalized and information sharing can truly commence: early 2021 is a possibility, but a year later is not out of the question. Threat information can also be directly forwarded from the NCSC to other collaborations without the involvement of the DTC, but legal obstacles and uncertainties also come into play here. It is expected that there will be more clarity on this in the short to medium term, making information sharing easier.
Interested in learning more about this study? Contact Reg Brennenraedts.