According to the government, the threat of digital attacks in the Netherlands is significant and continues to escalate in these ‘turbulent geopolitical times’. Dutch educational institutions are, according to education minister Bruins, an attractive target for malicious actors. While universities have significantly improved their digital security in recent years, he believes it is still better for them to be covered by the new cybersecurity law that the government is working on.
This would impose a legal obligation on them to properly secure their digital systems and to have external oversight. According to Bruins, there are still considerable differences in cybersecurity between institutions, which is why he wants them to be included in the law.
Unnecessary
Education and research need to be well secured, the Dutch Universities Association (UNL), the Association of Universities of Applied Sciences, and the MBO Council agree in a letter to minister Bruins. But according to them, this is already happening: the existing collaboration in SURF, the ICT cooperative of educational and research institutions, is ‘proven effective’. SURF also co-signed the letter.
“We have demonstrated that it is possible to rapidly and significantly improve cybersecurity without the need for coercive, bureaucratic, and costly legislation”, the letter states. The new law would unnecessarily delay the improvement of security.
European directive
Another objection is that cybersecurity costs are estimated by the European Commission to rise by 22 per cent. The Spring Memorandum indicated that the government does not compensate educational institutions for this. On the contrary, the government is shifting 7.6 million from their budget to the Education Inspectorate and SURF, which will also incur additional costs due to the new law.
With the cybersecurity law, the government will implement the European so-called NIS2 directive, but according to the letter writers, this need not apply to education: the European Commission allows member states the choice of whether or not to include educational institutions under the directive.
Should the government insist on this, then the institutions want at least four years of preparation time, sufficient financial resources, and safety standards that are appropriate for colleges and universities.
