2025-08-13

Bram Beerthuizen

Research shows: Dutch municipalities fall short on cybersecurity

Dutch municipalities face a digital paradox: while they automate and digitize more and more processes, their cybersecurity measures are seriously lacking. Recent research by The Hague University among municipal security officers reveals an alarming picture. The majority believe that current cybersecurity measures fall short, especially at a time when municipalities digitally control essential infrastructure such as bridges, locks, and traffic lights. And this while the Cybersecurity Act is just around the corner. Bram, our new business manager, sheds light on this matter.

The problem: little confidence in cybersecurity

The research by The Hague University reveals a worrying situation. Through a survey among Chief Information Security Officers (CISOs), they examined the digital security of operational technology – systems that digitally manage traffic lights, bridges, and wastewater installations.

The conclusion: there is little confidence in current cybersecurity measures. The majority of security officers state that the measures are insufficient, while municipalities increasingly digitally control critical infrastructure.

Cybersecurity Act: new obligations

With the Cybersecurity Act, also known as the NIS2 directive, all Dutch municipalities are designated as ‘essential entities’. This entails concrete obligations:

• Duty of care: Taking appropriate measures to manage cyber risks.
• Registration obligation: Registration in the national entities register.
• Notification obligation: Reporting incidents to regulators within 24 hours.
• Supervision: Compliance with obligations is monitored.

The digital dilemma

Bram explains what he sees happening in practice: “Municipalities are caught in a bind. On one hand, they are forced to digitize due to citizen expectations, staff shortages, and efficiency demands. On the other hand, many municipalities lack sufficient resources and expertise for secure implementation. The result: a growing digital attack surface without adequate protection.”

How can it be done? Successful municipalities invest in proactive measures: prevention instead of recovery, real-time insight into security status, and automated reporting. And instead of looking for more people, who are often not available, municipalities can focus on

• Smart, user-friendly platforms that simplify complex security processes and make them accessible for municipal employees.
• Automated detection, response, and reporting that minimize human errors.
• Solutions that grow with municipal digitization and enable future expansions.

Practical first steps

Sounds good, right? You can already take some practical first steps yourself:

1. Risk analysis: Map critical systems and vulnerabilities
2. Automation: Choose self-managing solutions with minimal maintenance
3. Integration: Ensure seamless connection to existing systems
4. Scalability: Plan for future growth
5. Expertise: Collaborate with specialists who understand government and cybersecurity

Act or hope

The research shows: Dutch municipalities stand at a crossroads. With the Cybersecurity Act around the corner, the time to wait is over. Municipalities that now invest in smart, automated cybersecurity will not only be compliant but also better able to serve citizens.

Those who wait risk fines, reputational damage, and above all, the trust of citizens who depend on reliable digital services.

Want to know how Tible helps municipalities with smart cybersecurity solutions? Contact us for a no-obligation conversation.