Amsterdam, 14 June 2023 - Municipalities are very worried about new European cybersecurity legislation NIS2 coming into force in 2024. This is because the central government is not providing clarity on the exact requirements, criticism has been voiced. Research by AG Connect, Binnenlands Bestuur and iBestuur shows that only 10 of 80 municipalities are taking concrete steps to prepare.
Currently in Europe, the European cybersecurity law NIS1 applies, which sets requirements that network and information systems must meet. These security requirements now only apply to some 300 key organisations, for example in healthcare and water companies. With the entry into force of NIS2 from October 2024, some eight thousand organisations will soon be designated as an essential organisation, including municipalities. Those who fail to meet the stricter cybersecurity requirements risk an administrative fine. These can amount to 10 million euros or, in the case of companies, up to 2 per cent of total annual turnover.
So municipalities now have just over a year left to comply with the new IT security requirements. There still seems to be a lot of work ahead: in the survey of 80 municipalities by AG Connect, Binnenlands Bestuur and iBestuur, only five municipalities (6%) can indicate that they have currently mapped their suppliers. Six municipalities (7%) can indicate that they have mapped the vital processes within their organisation.
Lack of clarity on investments
What mainly prevails in the responses is that municipalities are not clear about what they should do. As many as 70 out of 80 municipalities (88%) indicated that it is still unclear exactly what investments they have to make. This is because European agreements have not yet been translated into Dutch legislation. Also, this large group of municipalities does not know exactly how long they need to meet the requirements.
A small group, ten out of eighty municipalities, does have this (partly) clear already. Among other things, they indicate that budgets are needed to gain more insight into which cybersecurity measures are needed for, for instance, road management, waste water and waste management. Some of these 10 municipalities indicate that the security awareness of the entire organisation needs to be further strengthened. Training should be taken, experts should be hired and discussions should be held with suppliers. Much more scrutiny will also be needed for the cybersecurity measures taken. There is little confidence in a good outcome. Only three municipalities (4%) dare to answer a resounding 'yes' to the question of whether they will comply with the legislation in time.