Dependence on digital systems is growing, even among water authorities. Pumps, water treatment plants, and water management are increasingly controlled digitally. This improves efficiency but also increases vulnerability to disruptions and cyberattacks.
That’s why the 21 Dutch water authorities are intensifying their collaboration on information security and privacy. According to Bas Sluijsmans, Manager of Information Management and Automation and CIO at Hoogheemraadschap De Stichtse Rijnlanden, this cooperation has become indispensable: “The challenges are too great, and the dependencies too strong for any single organisation to tackle on its own.”
IT issues turned into strategic priorities
When Sluijsmans joined De Stichtse Rijnlanden 4 years ago, he noticed that many water authorities still had ground to cover in information security. This realisation wasn’t limited to his own organisation; it applied to the entire sector.
The reason is simple: water authorities are responsible for vital processes. They manage water levels, operate pumping stations, and treat wastewater. If these systems fail, the consequences can be severe. “A large part of the Netherlands lies below sea level. If a pumping station fails during high water, it can directly affect residents and businesses,” Sluijsmans explains.
The rise in cyber threats has only increased the urgency. Cybercriminals often exploit crises. For example, during the 2021 floods in Limburg, water authorities saw a surge in cyberattacks. This made it clear that information security is no longer just an IT department concern. “It has become a strategic issue affecting the entire organisation.”
Working together as 1 sector
No single water authority has the knowledge and capacity to meet increasingly stringent requirements. The introduction of the Dutch implementation of the EU’s NIS2 Directive, known in Dutch as the Cyberbeveiligingswet (Cbw), underscores this point. To address this challenge, water authorities have decided to deepen their collaboration.
“Additionally, the Critical Entities Resilience Act (Wwke), the Dutch implementation of the EU’s CER Directive, requires water authorities to safeguard vital processes for wastewater and flood defences. This law significantly affects the physical and digital management of critical infrastructure.”
Since 2025, all 21 water authorities have been collaborating across 5 collective themes: information security and privacy, architecture and standards, legislation and regulation, data and ethics, and digital innovation and transformation. Within these themes, all organisations contribute both financially and through specialist expertise.
“The complexity is increasing, and specialised knowledge is scarce,” says Sluijsmans. “By working together, we can share knowledge, undertake joint projects, and develop solutions that benefit the entire sector.”
Collaboration through Het Waterschapshuis
From conducting audits to providing shared services
Collaboration goes beyond discussion. Water authorities also work together on concrete measures, such as sector-wide audits based on the Baseline Information Security for Government (BIO). These audits provide insight into the sector’s overall maturity and help individual organisations make targeted improvements.
In addition, shared services have been established, including CERT-WM and the SOC. “This wasn’t an easy task,” Sluijsmans admits. “We had to reconcile diverse needs, technical environments, and priorities. Ultimately, this joint approach greatly aids standardisation and uniformity.”
Daily benefits of collaboration
Sluijsmans sees the benefits of collaboration daily within his organisation. Security specialists at De Stichtse Rijnlanden, for example, work closely with colleagues from other water authorities. They exchange experiences on current topics, including the implementation of the Cyberbeveiligingswet, joint tenders, and emerging threats.
The connection to the shared SOC and CERT-WM also offers advantages. “This not only gives us visibility into what’s happening within our organisation but also across the entire sector, helping us respond faster and be better prepared.”
Privacy is gaining importance
Alongside information security, privacy is attracting more attention within water authorities. Although they process fewer personal details than municipalities or social domain organisations, privacy issues still arise, including in permitting, supervision, and enforcement, as well as when implementing new technologies such as Copilot.
Sluijsmans has seen awareness grow significantly in recent years. “When I started here, there wasn’t even a dedicated privacy team. Now we have two full-time privacy officers involved in development and in reviewing new applications.” New technologies, such as drones, also raise fresh questions, not just technical but ethical as well. “You need to think ahead about the purpose of such applications. For example, what do you do with images that inadvertently capture personal data? These are questions we must answer before deploying the technology.”
Aligning with the Netherlands’ Digitalisation Strategy
According to Sluijsmans, the water authorities’ collaboration aligns well with the goals of the Netherlands’ Digitalisation Strategy (NDS). In 2024, the sector already developed a joint administrative course for digitalisation: ‘Vaarkaart Digitaal op Koers’ (Dutch), a ‘waterways roadmap’ of the sector’s digital direction. Additionally, Het Waterschapshuis has taken on a greater role in promoting collaboration, innovation, and knowledge sharing.
Moreover, portfolio holders were appointed to align NDS priorities with developments within the water authorities. “We try to link NDS developments with what we’re already doing as a sector. Where necessary, we incorporate new topics into the 5 collective themes.”
Looking beyond boundaries
Sluijsmans believes the biggest challenge isn’t confined to individual organisations or the sector. Water authorities are part of increasingly complex chains that rely on energy suppliers, telecom networks, and other public bodies. A disruption in one can directly affect another.
For this reason, he argues that digital resilience must extend beyond sectoral collaboration. “You have to look beyond organisational and even sectoral boundaries. Ultimately, we’re all part of the same societal infrastructure.”
This leads to his central message: “Water authorities demonstrate that collaboration isn’t just more efficient; it builds resilience. By sharing knowledge, using joint services, and pooling responsibilities, we become stronger.” He believes this lesson applies not only to water authorities. “In an increasingly digital society, digital resilience is no longer an individual responsibility; it’s a challenge for the entire public sector.”
