Evaluation Framework and Baseline Measurement Dutch Cybersecurity Strategy

The government aims to increase the digital resilience of the Netherlands, strengthen the cybersecurity system, and address digital threats. To achieve this, the Dutch Cybersecurity Strategy (NLCS) 2022-2028 has been formulated. For insight into the effects of the NLCS, learning from it, and being able to be accountable for its implementation, an evaluation is being conducted. In preparation for the evaluation, Dialogic, commissioned by the WODC, conducted a baseline measurement of NLCS activities and established a monitoring framework. The Dutch Cybersecurity Strategy is a follow-up to the Dutch Cyber Security Agenda (NSCA) and is intended as a future-oriented, sustainable vision for enhancing digital security in the Netherlands. The NLCS sets out concrete objectives and activities across 4 pillars: - Digital resilience of the government, businesses, and civil society, including the establishment of a national cybersecurity authority. - Secure and innovative digital products and services, such as the European regulation imposing cybersecurity requirements on manufacturers, including software. - Combating cybersecurity threats from states and criminals, involving investments in the research capacity of intelligence and security services and the fight against cybercrime by the police and Public Prosecution Service. - The cybersecurity labour market, education, and digital resilience of citizens, which includes awareness campaigns to empower citizens and reskilling and upskilling initiatives. Prompt start with activities The research indicates that the core activities across the four pillars align well with the objectives of the NLCS, with the majority of activities being measurable. It also shows that a prompt start has been made to implement the NLCS. It is recommended to focus at this stage on activities required before subsequent actions can be initiated, such as the further development of legal frameworks like the amendment of the Network and Information Systems Security Act (Wbni) and the draft law on promoting digital resilience in businesses. Any delay in establishing these legal frameworks would slow down related activities, such as setting up oversight mechanisms. Concrete choices needed for cybersecurity personnel shortage Furthermore, there are several obstacles to achieving certain objectives. For example, relatively few resources are allocated to enhancing cybersecurity expertise in the labour market. Additionally, this objective is affected by the overall scarcity of workforce in other professions. The shortage of cybersecurity personnel is given the same priority as shortages in other sectors, like healthcare or other technical fields. Without making firm decisions, researchers point out that the added value of the NLCS in this area remains unclear. By making more concrete choices, policymakers can utilise various ongoing labour market studies to monitor cybersecurity expertise provision and assess the extent to which the objective of training more cybersecurity personnel is being met. Visibility needed on effectiveness of confidential activities Another challenge is the lack of overview on the implementation and effectiveness of activities carried out by intelligence and security services. These confidential activities are a crucial part of the NLCS and consume a substantial share of resources. Researchers cannot comment on this aspect of the NLCS. It is crucial for the implementation, progress, and adjustment of the NLCS that there is visibility and control within the government to discuss internally the relative effectiveness of these policy efforts. The research report was sent to the Second Chamber on 8th February. Read the relevant parliamentary letter here.