The Network and Information Security Directive 2, better known as NIS2, was adopted in the EU in October 2024. This law concerns cybersecurity. A European law still needs to be adopted separately in each member state. This is expected to happen in the Netherlands in the second quarter of 2026. The Dutch Cybersecurity Act translates the guidelines from the European law into concrete frameworks, applied to the situation in our country.

The cyberattack on TU/e ​​in January of this year is still fresh in everyone's mind. Following this, the university has already taken measures to strengthen security. For example, information has been further secured and access rights have been tightened. This makes it harder for criminals to access vital information during a hack or to steal a large amount of information at once.

Audit

The new Dutch law will take effect in a few months, but TU/e ​​is already making preparations. The university is, for example, conducting an audit to assess the current cybersecurity situation. The audit is being offered by SURF, the national ICT cooperative for education and research. 

“The SURFaudit is a preparation for the NIS2,” says Chief Information Security Officer (CISO) Joost de Jong. This allows TU/e ​​to determine whether its corporate data is sufficiently protected and whether the privacy of students and employees is properly managed. 

The audit also examines how TU/e ​​compares to other universities. “TU/e wants to be more resilient and secure.” De Jong sees this as a perfect convergence of the university's ambitions and the law. “If we make an effort to become more resilient, we expect to comply with the new law.” Of course, the latter can only be said for sure once it has been adopted by the Dutch Parliament.

Training

“The NIS2 stipulates that we must train our employees,” De Jong explains. Employees receive very little instruction on how to use their computers. “When I mention this, the reaction is: ‘That's not necessary, we have highly educated people working at TU/e,’ but the reality is that things regularly go wrong due to a lack of knowledge.”

“It only takes one employee to leave some printed documents on the train or check emails on a phone with an AI app that reads along. Regular training ensures that you remain vigilant about data security and privacy.”

Funding

Implementing new laws is often expensive because so many things need to be arranged. De Jong: “Such a law comes with new obligations, but no funding. Therefore this affects the investments in education and research. That's why I believe the university should discuss with the cabinet to secure funding for this.”

A key theme in the Cybersecurity Act is resilience. Resilience means that consideration has been given to the most valuable components of an organization, but also to its vulnerabilities. The university tries to protect the network to prevent criminals from breaking in, but if this happens anyway, like earlier this year, it sure helps if preparations have been made.

This can be achieved, for example, by compartmentalizing networks, meaning that a network has many sections which are separately closed off. If criminals manage to enter the network, they do not have access to all data at once. It's also about preparing how to react to incidents. Good preparation ensures that an organization can resume its operations as quickly as possible.

Opportunities

CISO De Jong sees opportunities to further improve resilience within the university while saving money. “We can get even more out of standard applications. For example, we have software licenses that are permitted for wider use, but we don't yet do so.” These are trusted applications, which often have more capabilities than they are currently used for. By using them more broadly, you prevent people from downloading their own software that hasn't been checked for vulnerabilities.

De Jong also sees opportunities in cleaning up: we need to get rid of all applications that we don't use. This saves on maintenance costs, but more importantly, reduces risks.

Reporting

In addition to the preventative obligation to train employees, the Cybersecurity Act will also impose stricter requirements on the process if an incident does occur.

The new law contains four obligations. If a significant incident occurs—such as the hack at TU/e ​​earlier this year–the organization must report it to the cybersecurity portal NCSC within 24 hours. This creates a duty of care: the institution must take appropriate measures to respond to the incident. 

The organization must then inform the involved parties (information obligation) and register the incident and its handling in the entity register (registration obligation). SURF helps with this, so that universities don't have to reinvent the wheel.

Knowledge security

“We're conducting research in Eindhoven of which many want to gain the knowledge. For example, in the field of health technology and chips,” De Jong acknowledges. This is also what the Cybersecurity Act addresses: knowing where sensitive information is stored, something that touches on the Knowledge Security Screening Act. But will ordinary students also notice that the university is tightening its data protection rules?

De Jong believes this is possible. “We try to facilitate everyone the best way we can, but the new rules could mean that fewer things are permitted when working from home. After all, the university has no control over the network security of people's homes.” A VPN does offer more protection, but it's difficult to verify that everyone is using it.

The law will not only demand more from an organization's employees, but also from its suppliers. The idea behind this is that suppliers also process data from staff within the organization or have access to the network, thus posing a potential risk. "You can properly maintain your own section of the dike, but if your neighbor doesn't, the water will still flood your land,” De Jong concludes.

The exact timeline for any actions TU/e ​​will take to comply with the Cybersecurity Act is not yet known. This will become clear when the current situation is further mapped out further and when the act is ratified by the Dutch parliament. 

This article was translated using AI-assisted tools and reviewed by an editor