In the following collapsible sections, you will find the results we aim to achieve in 2024 for priority 2.5 “Improve Cybersecurity”:
1. Introduce a government-wide statutory duty of care
Introduce a government-wide statutory duty of care for information security, a duty to report and a regulatory regime:
- Update the implementation of the BIO support programme.
- The accountability system contained in the Uniform Single Information Audit Standard (ENSIA) is further developed. Steps have been taken on the horizontal and vertical organisation of regulation based on the BIO.
- There is a revised BIO (BIO prelude was delivered in 2023) that is legally embedded in NIS2.
- Pilots provide insight into the added value of an IT report and IT audit statement within the government.
- Indicators that measure ambition regarding actual security are monitored and displayed on the open-source website basisbeveiliging.nl. Government organisations can mirror and draw from this.
Implementor (by whom, with whom): BZK, JenV, various ministries, local and regional authorities, CIP
2. Coordination of Government-wide strategy for international cyber policy
- Activities are in line with international Cyber Strategy, looking at international security, human rights and rule of law online.
Implementor (by whom, with whom): BZ, EZK, JenV, BZK, DEF, local and regional authorities, and government services (AIVD, MIVD, NCSC, NCTV, OM and the National Police)
3. The government only purchases secure ICT products and services
- The government cybersecurity procurement requirements tool has been further developed, broadened and implemented.
Implementor (by whom, with whom): BZK, EZK, local and regional authorities, CIP
4. Make own domain available
Offer own domain to make trustworthy websites easier for citizens to recognise. (For example, government.nl. Exploration about the exact extension is ongoing with AZ):
- Offer government-wide extension for governments, starting with the central government.
- Create a government domain extensions transition plan with all government entities. Implement in phases, starting with the central government.
- The first use of the extension.
Implementor (by whom, with whom): BZK, AZ
5. Establish a contact point
When it went live in late 2023, an online form was made available for citizens to ask questions about websites in the registry. A user survey will be conducted among citizens in 2024 to improve the accessibility and understandability of the website and to find out what type of support is desired by users; this could be through another digital form or by telephone, for example. The recommendations of the user survey will be used to optimise services for citizens:
- A point of contact was established where citizens and businesses can ask questions about the security of government websites.
Implementor (by whom, with whom): BZK, AZ/DPC, Netherlands Publication Office (KOOP)
6. Facilitating annual government-wide exercises (from Government I-strategy)
- Annual Government-wide Cyber Exercise using simulated hack attacks.
- Delivery of red-teaming toolkit.
- Start implementation of red-team testing by ministries.
- Interdepartmental knowledge sharing regarding red-team testing is organised.
Implementor (by whom, with whom): BZK, JenV
7. A help function for information security and privacy
Provide a help function for information security and privacy for authorities and government agencies:
- Further steps to extend and update the expansion and continued development of the Information Security & Privacy service. The first authorities or government agencies receive customised recommendations from professionals within the government about digital security and privacy.
Implementor (by whom, with whom): BZK, CIP
8. Increase detection and response capabilities of central government organisations
- All relevant central government organisations are connected to the National Detection Network.
- First Security Operations Center (SOC) products relating to monitoring and detection, vulnerability management and collaboration and information sharing are available.
Implementor (by whom, with whom): BZK, JenV
9. Improve proactive information security measures
Improve proactive information security measures focused on the central government’s Protectable Interests:
- A national policy for mandatory basic digital resilience training is established.
- The annual ADR demand-driven information security survey is conducted.
- Tools ready for protection against ransomware.
- The first step in the quantum awareness programme for primary audiences is implemented.
- Quantum-safe crypto policy established.
- Establish a process that provides crypto resources for long-term protection of state secrets at the State Department.
- Digital resilience risk management policy and implementation framework is established.
Implementor (by whom, with whom): BZK
10. Issue mobile devices issued to civil servants equipped with authorised apps
Ensure that mobile devices issued to civil servants employed by the central government are set up so that only authorised apps, software and/or functionalities can be installed and used:
- Allowlisting: apps authorised for use by government officials are determined.
- Procedure established for introduction of managed devices.
- App policy framework drafted and implementation started.
- The “Central Government Digital Working Environment” code of conduct is updated.
Implementor (by whom, with whom): BZK in coordination and cooperation with ministries and “facilitating organisations”