The debate on ‘Online Safety and Cybersecurity’ took place on Wednesday 5 February. It was attended by David van Weel (Minister of Justice and Security), Dirk Beljaarts (Minister of Economic Affairs) and various parliamentary members of the Committee Digital Affairs (DiZa). During the debate, it was clear that all participants possessed a good general knowledge of digitalisation as well as detailed insights into cybersecurity. If you would like to know how the Minister of Economic Affairs prepared for this debate, have a read of this article.
All eyes on cybersecurity
Six themes are on the debate agenda for the Committee Digital Affairs, each of which also fall within the Committee’s remit. Last week’s debate focused on ‘Emerging and Future Technologies’ . A technical briefing on ‘digital rule of law’ is planned for 11 February, and the Dutch central government intends to hold a round table on ‘digital sovereignty’ on 13 February. This week’s debate centred on the risks of digital technologies and information security, covering issues such as cybersecurity and encryption.
The standing Committee Digital Affairs has 29 members in total. The following members of the House of Representatives attended the debate on ‘Online Safety and Cybersecurity’ held on 5 February in the Groen van Prinstererzaal chamber:
- Jan Valize (chair, PVV)
- Jesse Six Dijkstra (NSC)
- Ingrid Michon-Derkzen (VVD)
- Marieke Koekkoek (Volt)
- Barbara Kathmann (GroenLinks-PvdA)
Vision for the future and progress update
The debate was held over two sessions, during which the members of the House of Representatives were able to ask questions about topics including the vision for the future of cyber resilience, developments in the Netherlands Cybersecurity Strategy 2022-2028 (NLCS), the consequences of the late implementation of the EU’s NIS 2 Directive and Critical Entities Resilience Directive (CER), the introduction of new EU legislation and the Safety Strategy for the Kingdom of the Netherlands and how cybersecurity ties into it. The debate also touched on the National Technology Strategy (NTS) and the Cybersecurity Technologies action agenda , the latter of which is being developed under the leadership of KIA Digitalisation.
The members’ questions were testament to their awareness of the importance of having a clear vision for cybersecurity and of the growing risks of cybersecurity threats to the public and businesses. Many businesses continue to be hit by cybersecurity incidents, and shortcomings in basic online safety measures persist. Research has shown that 70% of ransomware attacks happen at companies that fail to adopt basic cyber hygiene practices. Six Dijkstra (NSC) believed basic measures were being neglected: ‘This is about poor password management, a lack of multifactor authentication, delayed updates and, at larger companies, insufficient network segmentation. Vast improvements could be made in this respect. Implementing just a few measures could significantly enhance security and safety.’
A labyrinth of regulations and solutions
The participants in the debate agreed that members of the House of Representatives should urge the government to provide clarity to businesses that are confused by the labyrinth of regulations in the pipeline as well as current and future technological solutions, so that they know what they need to do to update their basic cyber hygiene. Beljaarts (Minister of Economic Affairs) stated that businesses can find useful information about digital resilience in the Digital Trust Center (DTC).
‘We must get on top of cybersecurity and digital resilience if we are to harness digital transformation as the driving force of our economy. However, a third of small and medium-sized enterprises still haven’t taken action on online safety, despite having a range of tools and resources at their disposal,’ said Beljaarts. Beljaarts referred to the DTC website, My Cyber Resilient Business – a grant specially designed for small enterprises that cannot afford cybersecurity measures – and the DTC Community, where over 5,000 cybersecurity experts and businesses collaborate and share their knowledge about cybersecurity.
Widening gap
Highlighting a widening ‘digital resilience gap’ between large and smaller enterprises, Michon-Derkzen (VVD) was concerned that medium-sized businesses may also be struggling to access the right support. Kathmann (GroenLinks-PvdA) expressed the same concerns and asked whether the government should take on a greater leadership role to help companies find the right incident management and prevention solutions. She called for a ‘rapid response approach’, with the government taking on a pivotal role in ensuring companies adopt basic cyber hygiene practices.
Kathmann also called for more ‘digital first responders’: people who are trained to promote digital safety at their workplace and help colleagues resolve technology or incident-related issues. ‘Crucially, this endeavour relies on knowledge and information exchange between companies as well as between public and private networks. Middle-sized enterprises are crying out for a dedicated support line.’
CIOs should serve on the board
Six Dijkstra (NSC) asked the ministers how the current Dutch government will normalise the fact that, in a heavily digitalised country such as the Netherlands, ICT and cybersecurity should be on the agenda and within the sphere of action of company management boards. The participants in the debate were clear that today’s CIOs should serve on the board. Dijkstra again insisted that serious preparations should be made for ‘Q-day’ – the day on which quantum computing will be capable of breaking cryptographic algorithms. ‘This could have a seismic impact on safety and security in our society. A quantum computer has the potential to crack our encryption in the very near future. Indeed, some state actors are already conducting “store now, decrypt later” attacks.’ He therefore urged for scenario plans to be made.
Koekkoek (Volt) agreed, adding that she would like the government to raise awareness by giving the public and businesses a more meaningful role in hybrid threat training. She asked whether the government had also considered whether North Sea fibre-optic cables were in danger of being sabotaged in a similar vein to those in the Baltic Sea and, if so, what measures were being taken to prevent this. Koekkoek also asked what the consequences would be of the delayed implementation of the NIS2 Directive.
Delayed implementation of NIS2 Directive
Van Weel (Minister of Justice and Security) stated that several Member States had failed to implement the NIS2 Directive on time. ‘This is a serious, complex and cross-sector exercise. I expect the NIS2 Directive [transposed into the Dutch Cyber Security Act, Cyberbeveiligingswet, Cbw] to enter into force in Q3 2025.’ It is currently being investigated whether higher education is considered a ‘critical sector’; Van Weel has called on his fellow members of the government to view it as such. Michon-Derkzen (VVD) also strongly advocates in favour, in view of the recent cyberattack on Eindhoven University of Technology and the DDoS attack on higher education networks.
Lesson #1: self-sufficiency
On 10 April 2025, the House of Representatives will debate the Safety Strategy for the Kingdom of the Netherlands. Minister Van Weel said cybersecurity threats would understandably be part of the debate. He mentioned that, in his experience, a rapid response to a large-scale systems outage should be based on self-sufficiency for the first 48 hours. In the full version of the letter to parliament on the topic, due for submission soon, Van Weel promised that he would consider how the Dutch public could be involved in rapid response training. ‘This could include developing skills that boost people’s self-sufficiency.’
Van Weel referred to the recent programme by the Dutch public broadcaster EO, Black-out, which he contributed to.
PQC migration manual
Van Weel also stated that organisations wishing to take action and seek advice on mitigating the threat of quantum computer cracking their encryption could access a PQC (post-quantum cryptography) migration manual. These organisations may process data that must remain secret for the next 20 years or more, or they may be organisations that develop systems with a long product lifecycle. This manual is a joint publication by the General Intelligence and Security Service (AIVD), TNO and Research Institute for Mathematics & Computer Science in the Netherlands (CWI).
The Minister of Justice and Security also said he was concerned by how easily the public involuntarily discloses their personal information to big tech companies. ‘Remember that each time you download a free app, you’re paying with your personal data. Exercise caution.’ He plans for more awareness-raising campaigns, the first of which will be launched this spring. ‘It’s a never-ending game of catch-up. We must ensure the public is much better informed about digital resilience.’
On 1 January 2026, the National Cyber Security Centre (NSCS), the Digital Trust Center (DTC) and the Cyber Security Incident Response Team for digital service providers (CSIRT-DSP) were officially merged to create one government help desk for cybersecurity advice. Minister Beljaarts said that while the merger was going according to plan, he did not have insight into the ins and outs of the process. ‘However, I have no reason to assume there will be any drop in service quality in the run-up to the merger.’
Monitor, crisis plan and amendments to the Dutch Telecommunications Act
Statistics Netherlands (CBS) will publish its Cybersecurity Monitor in March to provide the latest update on business and household cyber resilience in the Netherlands. Minister Van Weel said that a new version of the Nationwide Crisis Response Plan for Digital Crises would be published in Q3 2025, describing a joint approach to digital crises that affect the whole of the Netherlands. Minister Beljaarts said that European partners are currently researching whether artificial intelligence (AI) could be mentioned in the Digital Markets Act (DMA).
During the debate, Beljaarts promised that he would inform the House of Representatives of a possible amendment to the Dutch Telecommunications Act (Telecommunicatiewet) within the next two weeks. Banks and telecoms providers are pushing for a change to the law in order to better protect customers against scammers who pretend to be bank employees. The Dutch Banking Association (NVB) and the sector organisation NLconnect have called on the government and House of Representatives to empower telecoms providers to check whether someone is on the phone while making a funds transfer. These ‘on the phone’ checks could help to prevent substantial losses caused by bank help desk fraud.
Lastly, Beljaarts pledged that he would provide the House of Representatives with a progress update on the Cybersecurity Technologies action agenda by Q3 2025. This agenda is being produced under the leadership of KIA Digitalisation and is part of the National Technology Strategy (NTS).