The government warns that the Netherlands is under serious threat from cyber attacks, a danger that is only increasing in these “geopolitically turbulent times”. Education minister Eppo Bruins insists that Dutch knowledge institutions are a key target for malicious actors. Although these institutions have greatly stepped up their cybersecurity in recent years, he believes they would be better protected under the new cybersecurity law currently being drafted by the government.

This new law will impose a statutory duty on the institutions to properly secure their digital systems and subject their security regime to external monitoring. Bruins highlights the significant differences in cybersecurity that still exist between institutions as a justification for making them subject to the legislation.

Unnecessary

Universities of the Netherlands (UNL), the Netherlands Association of Universities of Applied Sciences and the MBO Council agree that effective measures must be in place to safeguard education and research. But in a letter to the minister they point out that education and research institutions already have a “tried and tested” cybersecurity solution in SURF, their collaborative IT platform. SURF is a co-signatory to the letter.

“We have shown that it is possible to step up cyber resilience quickly and robustly without the need for coercive, bureaucratic and costly legislation”, the letter states. It goes on to argue that the new law would result in unnecessary delays to security improvements.

European directive

Another objection concerns the 22 percent rise in the cost of cybersecurity as estimated by the European Commission. In its spring budget statement, the government revealed that it has no intention of compensating educational institutions for this rise. Instead, it plans to redirect 7.6 million euros towards the Inspectorate of Education and SURF, which will also face additional costs as a result of the new law.

The law is the government’s approach to implementing the European NIS2 directive but, as the letter points out, the European Commission leaves it up to individual member states whether or not they want to apply the directive to educational institutions.

If the government goes ahead with its plans, the institutions are demanding at least four years to prepare, sufficient financial resources and a standard of security that adequately reflects the needs of the higher education sector.

TU/e response

TU/e also joins the criticism of the government's plan to bring educational institutions under the new cybersecurity law. 'We consider cybersecurity extremely important and therefore invest heavily in it,' spokesperson Ivo Jongsma said in a written statement.

'We fully support the letter from UNL. The plan will not improve security compared to the course we have already taken, but it will lead to more bureaucracy and higher costs, leaving less funding for our core tasks. We find this hard to understand and difficult to reconcile with the minister’s promise to reduce administrative burdens.'