How do you properly prepare yourself for the Cybersecurity Act?

Awareness and knowledge of digital security are important when designing or renovating critical works of art. These are vulnerable objects to our economy and safety. After all, the flow of traffic in our country is greatly guaranteed by working bridges and tunnels. And we keep dry feet thanks to hundreds of locks, dams and flood defenses. The number of cyber attacks is growing, with a recent hacking attack affecting the port of Antwerp. Moreover, the Cyber Security Act is coming! What can companies expect from this and which steps can be taken in advance, so that they will not be confronted with any surprises? We asked Patrick Spelt, Head of Cybersecurity Supervision at the Ministry of Infrastructure and Water Management's Environment and Transport Inspectorate (ILT).

The European Union Cybersecurity Agency annually examines how cybersecurity is evolving. The "Enisa Threat Landscape 2024" report shows that ransomware and DDoS attacks are the biggest threats. Both cripple business systems, but the former involves ransom demands. The report also shows that the techniques used are becoming increasingly complex and that cybercriminals are increasingly using AI tools. These tools make cyber attacks more effective, but also more accessible to attackers who have less technical knowledge.

Weak link

In addition, social engineering, such as phishing, is still common. Here, hackers exploit human weaknesses by sending misleading emails to gain access to an application or network. When staff are not sufficiently aware that they are handling data insecurely, such as by using proprietary devices or insecure video connections, it can lead to data breaches and cyber attacks. So it is also important to be aware that uninformed staff can be the weak link within a company's digital security.

Action Needed

The NIS2 Directive entered into force on Oct. 17 and will be implemented in the Netherlands in the form of the Cyber Security Act. This is European legislation aimed at increasing the general level of resilience of all companies in the EU. It focuses on risks that threaten network and information systems, such as cyber security risks. Patrick has been working on the implementation of legislation around cybersecurity, its implementation and monitoring for almost two years now. "The law is expected to take effect during the third quarter of 2025. However, it is very important that companies get started right away! After all, the risks organizations face are already there. Moreover, many companies are encountering these rules for the first time, as the current legislation only affects providers of essential services. Consider also that if your company does not have to comply with the regulations, you may be working with organizations that do and therefore need to start imposing requirements on their supply chain partners."

Take action

Patrick recommends starting with the NIS2 Self-Assessment. This online questionnaire answers the question whether your organization falls under the NIS2 guideline. If it is, you can use the online Quick Scan NIS2 Directive. This provides an overview of your obligations and the current status of your cyber security in accordance with the scope of the European NIS2 Directive.

Inspection pressure

If your organization falls under the law and in the 'essential' category, you will be proactively visited by the ILT. In the 'important' category, supervision takes place after the fact, i.e. only after a cybersecurity incident has occurred. "You don't have to be afraid of the regulator, and we're really not going to hand out fines right away. We have an intervention strategy and deploy fines particularly for companies that really don't want to comply. Suppose during an inspection things turn out not to be in order, you first get the time to solve them. Above all, we benefit from companies understanding what is required and getting on with it. After all, that really contributes to resilience." Incidentally, one may also have to deal with other inspection services, such as the National Digital Infrastructure Inspectorate. "Inspectorates work together in this, so that one does not have to deal with two inspectorates working alongside each other."

Reduce costs

To deal with this issue efficiently, it is good to know that there are all kinds of initiatives, including cyber resilience networks. If you join such partnerships, you can get help and advice, as well as act together. Bouwend Nederland, for example, supports its members together with the Digital Trust Center (DTC). And Aannemersfederatie Nederland has signed a cooperation agreement with the Samen Digitaal Veilig (SDV) initiative.

Patrick ends with a final tip in terms of fulfilling the duty of care: "Our inspection frameworks are based on industry frameworks. So my tip is: get started with ISO 27001 and 27002, the NEN or the NIST Cybersecurity Framework. That's never a waste of money, because we're going to use the same frameworks, after all."

The website www.ncsc.nl constitutes a good starting point for finding information on the topics mentioned in this article.