Cybersecurity: lighter supervision for higher education

Universities and universities of applied sciences are already doing well on cybersecurity, so the government only needs to carry out ‘ex-post supervision’. That is stated in the draft version of a new ministerial regulation.

Personal data leaking, knowledge being stolen, ransom demands… Universities and universities of applied sciences also sometimes face hacking attacks. But they are defending themselves robustly, the government believes.

The government wants more control over cybersecurity in the country. In April, the House of Representatives agreed by a large majority to the Cybersecurity Act, an implementation of a European law. The government also wants to bring higher education under this law. A draft regulation is now available online for public consultation.

The main question was: how strict will this law be for higher education? Beforehand, institutions were concerned: they feared the proposal would have the opposite effect.

Important or essential

The law distinguishes between ‘important’ and ‘essential’ entities. The main difference is how strict the supervision is. Publicly funded universities and universities of applied sciences are designated as ‘important’ entities. This means they will be subject to the ‘lighter supervisory regime’.

Only ex-post supervision will take place, the explanatory notes state. That is considered sufficient because, in recent years – following administrative agreements with the Ministry of Education – education institutions have already worked significantly on strengthening their cyber resilience.

It is reminiscent of a bill on screening master’s students and researchers in ‘sensitive’ fields, which Minister Rianne Letschert postponed again last week. The education institutions are already doing well, the minister said in praise. Therefore, the announced broad screening would not be proportionate.

‘Prudent’

Last week, universities spoke of a ‘prudent reorientation’ by the minister. They were pleased with the emphasis on their own responsibility in matters of knowledge security. They also expressed appreciation for the additional funding the minister is allocating for knowledge security and cyber resilience (80 million for the next five years).

The Education Inspectorate will be tasked with carrying out supervision. This is therefore an additional responsibility for the inspectorate, alongside, for example, financial supervision and supervision of social safety.

The education institutions will have a reporting obligation for incidents. It is estimated that there will be around two per institution, meaning more than a hundred per year. The costs of this reporting obligation are assumed to be around one million euros nationally.