The text on this page was automatically translated and hence may differ from the original. No rights can be derived from this translation.
In order to strengthen the digital capabilities of public and private parties in the Netherlands, efforts have been made in recent years to establish a nationwide system of cybersecurity partnerships. These partnerships aim to facilitate broader, more efficient, and effective sharing of cybersecurity information. With the National Cyber Security Centre (NCSC, part of the Ministry of Justice and Security), the Digital Trust Centre (DTC, part of the Ministry of Economic Affairs and Climate), and the increasing number of partnerships, this nationwide system is becoming more and more of a reality. However, there are still target groups in non-vital sectors (such as SMEs) who may not receive certain desired information or know where to find it, posing a risk to their cybersecurity. Research agency Dialogic explored this issue at the request of WODC.
The research distinguished between two types of cybersecurity information: information for raising awareness (information and advice on cyber resilience) and threat information (information on threats or vulnerabilities relating to specific businesses or software). The target groups, needs, and legal constraints for these two types of information are not identical, leading to differing conclusions and potential measures.
Need for awareness-raising information
The research reveals a demand among SMEs and self-employed individuals for information and advice on cybersecurity, such as a basic cybersecurity scan. It was also found that the DTC currently meets a significant portion of this demand, but parties are unaware of this. Therefore, one of the recommendations from the research is to develop a communication strategy to enhance awareness of and access to the DTC as a central point for cybersecurity.
Need for threat information
Sharing threat information is often problematic due to legal restrictions on sharing personal data and identifiable confidential information. This means that threat information relevant to the non-vital sector remains 'stuck' at the NCSC. Consequently, the group of non-vital, cyber mature companies currently do not receive the necessary information effectively. This group has limited access to the information they require to enhance their cyber resilience.
Legal developments
In the future, the DTC could potentially become the primary actor for threat information for non-vital parties by ensuring that it receives information from the NCSC and distributes it to the relevant businesses and partnerships. However, it is uncertain when the necessary legal framework for the DTC will be finalised and information exchange can truly begin: early 2021 is a possibility, but a year later is not out of the question. Threat information could also be forwarded directly from the NCSC to other partnerships without involving the DTC, but legal obstacles and uncertainties exist here as well. It is expected that greater clarity will emerge in the short to medium term, making information exchange more straightforward.
Interested in learning more about this research? Contact Reg Brennenraedts.