Information exchange nationwide system cybersecurity.

To strengthen the digital capabilities of public and private parties in the Netherlands, efforts have been made in recent years to establish a nationwide system of cybersecurity cooperation, facilitating the broader, more efficient, and effective sharing of cybersecurity information. With the National Cyber Security Centre (NCSC, part of the Ministry of Justice and Security), the Digital Trust Center (DTC, part of the Ministry of Economic Affairs and Climate), and the increasing number of partnerships, this nationwide system is becoming more of a reality. However, there are still target groups in the non-vital sector (such as SMEs) who may not receive certain desired information or are unaware of how to access it, posing a risk to their cybersecurity. Dialogic investigated this issue commissioned by the Research and Documentation Centre (WODC). The research distinguishes between two types of cybersecurity-related information: awareness information (information and guidance on cyber resilience) and threat information (information on threats or vulnerabilities regarding specific companies or software). The target groups, needs, and legal constraints regarding these two types of information are not the same, leading to differing conclusions and potential measures. Need for Awareness Information The research reveals that there is a demand among SMEs and self-employed professionals for information and advice on cybersecurity, such as a basic scan of their cybersecurity. It also shows that the DTC currently meets a significant portion of this demand, which parties are not aware of. Therefore, one recommendation from the research is to develop a communication strategy to enhance awareness and accessibility of the DTC as the central point for cybersecurity. Need for Threat Information Sharing threat information is often challenging due to legal restrictions on sharing personal data and identifiable confidential information. As a result, threat information relevant to the non-vital sector tends to remain with the NCSC. Particularly, non-vital cyber-mature companies are currently not adequately provided with the desired information. This group has limited access to the information they require to function securely against cyber threats. Legal Developments In the future, the DTC could become the primary actor for threat information for non-vital parties, by ensuring that the DTC receives information from the NCSC and shares it with relevant companies and partnerships. However, it is uncertain when the necessary legal basis for the DTC will be in place and information sharing can truly commence: early 2021 is a possibility, but a year later is not unthinkable. Threat information can also be directly shared from the NCSC to other partnerships without the involvement of the DTC, but legal obstacles and uncertainties also arise here. It is expected that there will be more clarity on this in the short to medium term, making information exchange easier. The research report was sent to the Dutch House of Representatives on 17 November 2020. Read the relevant Chamber letter here.