The cybersecurity certification landscape in The Netherlands after the Union Cybersecurity Act

This research aimed to sketch the cybersecurity certification landscape in the Netherlands to identify the impact of the Union Cybersecurity Act (CSA) on stakeholders such as industry and conformity assessment bodies (CABs), and to make an inventory of potential roles for the NCSC in this setting.

The Netherlands follows a decentralized model in which several agencies and Ministries have competences in cybersecurity. The Radiotelecommunications Agency (AT) is the national cybersecurity certification authority. The NCSC focuses on public-private partnerships and other tasks and responsibilities as stated in the Wbni, the Dutch law that determines the tasks of the NCSC.

The research consisted of gathering insights from the energy and banking sector. It showed that companies are interested or sometimes obliged to conform to cybersecurity standards. However, they are not always motivated to pursue certification. The main obstacles are unfamiliarity with certifications, stringent documentation requirements and high costs. Some stakeholders in the energy sector are in favor of certifications, in contrast to the financial sector where many other compliance requirements exist.

The research showed that the NCSC could play different roles in this landscape. With the AT developing towards the national certification body, the potential roles for the NCSC to consider range from supportive, reactive to proactive ones. A few examples are:

  • Facilitation of knowledge sharing on cybersecurity certifications via national ISACs or other public-private partnerships
  • Raising awareness about cybersecurity certifications
  • Expanding voluntary collaborations with certification bodies and other stakeholders
  • Providing substantial assistance to the national cybersecurity certification authority
  • Lend its expertise to the National Accreditation Body when assessing certification bodies
  • Develop its own national scheme and label, in areas not covered by the European cybersecurity certifications.

Click here to read the research report about the cyber security certification landscape in The Netherlands after the Union Cybersecurity Act.