BeNeLux Cybersecurity Strategies
Converging or Diverging on the Topic of Risk Management?
With the increased number of cyber attacks on critical infrastructure, governments and companies need to manage cybersecurity risks better, including countering threats and managing vulnerabilities. Government strategies inspire companies and are a clear sign of the direction to follow for more effective cybersecurity risk management. The 2021 guideline for national cybersecurity strategies, compiled by 20 European and International organisations, recommends developing sectoral cybersecurity risk profiles for countries to have a more proactive approach to defence rather than a reactive one after the fact/incident. Have BeNeLux Strategies followed through? We assess to what extent the current BeNeLux (Belgium, Netherlands, Luxembourg) strategies converge or diverge and propose a tangible policy recommendation for the upcoming National Cybersecurity Strategy Reviews.
Why are we looking into this?
Cybersecurity risk strategies do matter for adequate security and resilience. The new EU requirements enforce a more mature, harmonised and integrated approach to cybersecurity risk management. For example, the new 2022 NIS2 Directive, which covers essential entities across 17 economic sectors, the 2022 DORA – targeting the financial industry, and the 2024 AI Act set significant risk management requirements, in addition to notification for significant incidents for a substantial portion of the EU economy – within the regulated sectors. In addition, certified products under the 2019 EU Cyber Security Act (e.g. ECCC for ICT products or EUCS for Cloud Security) would require risk management and vulnerability reporting. Finally, the upcoming Cyber Resilience Act would require producers of products with digital elements to be notified of actively exploited vulnerabilities and incidents.
As a result, with notification procedures and regular enforcement actions (audits), Governments will become a central critical cybersecurity risk information hub. They could play a crucial role in empowering companies by feeding real-time input for the risk profile and periodic analysis of emerging trends.
This article aims to assess to what extent the Benelux (Belgium, Netherlands, Luxembourg) cybersecurity strategies converge or diverge in the area of risk management, and propose a tangible policy recommendation for the upcoming National Cybersecurity Strategy Reviews. Government strategies could inspire the companies and be a clear sign of the direction to follow. With the new and expanded notification requirements, they could embrace the responsibility of a central cybersecurity risk information hub.
Are the BeNeLux Cybersecurity strategies converging or diverging on the topic of risk management?
The three national strategies converge around the aspiration to have an integrated approach to building trust in cyberspace that enables people and businesses to interact securely. They highlight the importance of collaboration with national and international partners.
The BeNeLux Cybersecurity strategies diverge in focus: Belgium focuses on productivity and growth, the Netherlands on economic security and social stability, and Luxembourg on competitiveness.
6-5-4-3 Strategic objectives
Belgium sets six strategic objectives to respond to technological developments and to meet the high need to protect the population, the private and public sectors and the vital sectors:
- Strengthen the digital environment and increase trust in the digital environment
- Arming users and administrators of computers and networks
- Protecting Organisations of Vital Interest from all cyber threats
- Responding to cyber threats, including by repressive capabilities and attribution
- Improve public, private and academic collaborations
- A clear international commitment
The Netherlands sets five national priorities,
- Be more aware of cyber threats so that we know and understand them.
- Ensure sufficient cyber expertise is available in the labour market so that we can meet the challenges we face.
- Be aware of and understand risks and threats.
- Legislation to ensure that frameworks are transparent and verifiable.
- Review the national cybersecurity system to ensure effective and efficient use of cyber capabilities.
Around four pillars:
- Establishing cyber resilience for government, businesses and civil society organisations,
- Secure and innovative digital products and services,
- Countering cyber threats posed by states and criminals,
- Cybersecurity labour market, education and cyber resilience of the public.
Luxembourg sets three strategic objectives:
- Building trust in the digital world and protecting human rights online,
- Consolidating the security and resilience of digital infrastructures in Luxembourg,
- Developing a reliable, sustainable and secure digital economy. Belgium has identified two national priority risks – countering cybercrime and hacktivism.
Risk Management Strategy
Belgium’s national cybersecurity strategy focuses on risk assessment, as risks have been listed and explained. Belgium has threat actors listed, and protecting vital organisations from all cyber threats is a primary focus. On the other hand, the Netherlands focuses more on understanding the origin and target of the threat. In contrast, Luxembourg focuses on promoting a risk management culture based on risk analysis and the application of security measures.
Cyber Resilience Strategy
Belgium focuses on regular testing, while the Netherlands focuses on cyber risks, threats, incident identification and remediation, supply chain considerations, and lessons learnt. The Netherlands gathered and listed input from stakeholders on the concrete issues that can be worked on, including resilience/skills/responsibility/data/information sharing gaps, amongst others. Luxembourg focuses on government, critical and health infrastructure resilience, incident and crisis preparedness, sovereignty, and technologies like cloud, email, and DDOS protection. It emphasises the role of situation awareness, risk management, and national and international (crisis) collaboration.
Identify a Standard Methodology for Managing Cybersecurity Risk
All three countries mention NIS in their security measures. Belgium and the Netherlands have highlighted risk assessment, while Luxembourg has highlighted risk analysis and remediation (implementing security measures). Luxembourg and the Netherlands underline the importance of cybersecurity certification schemes developed under the Cybersecurity Act. In the meantime, Belgium adopted a cybersecurity certification framework, CyberFundamentals (CyFun) and a Coordinated Vulnerability Disclosure Policy. Luxembourg committed to introducing legislation to enable collective intelligence on vulnerabilities and security breaches and put forward the usage of The Threat Intelligence Sharing Platform (MISP), the Risk Scenario Sharing Platform (MOSP) or any other tools or services identified as necessary.
Recommendations for the upcoming BeNeLux Cybersecurity Strategies reviews:
As there have not been announcements on new expected versions of cybersecurity strategies, the below vital current gaps should be considered in the upcoming revision of the BeNeLux Cybersecurity Strategies:
- Support the knowledge and information sharing gap for cyber resilience. Define a strategy for consolidating and reporting on the threat and vulnerability information gathered through the reporting obligations under EU legislation.
- Identify risk profiles for sectors that the country considers most critical to its society and economy. Based on the risk and threat landscape specific to the country and sector, provide guidance to companies and organisations on how to tackle cybersecurity challenges.
- Provide guidance on assigning roles and responsibilities between all parties (government, industry, supply chain, etc.) for various aspects of risk management, including security risk assessment and remediation, vulnerability and incident reporting, and cybersecurity compliance assurance.
Annexe: Table 1 The state of play of BeNeLux strategies
BeNeLux Strategy Mapping | Countries | ||
Belgium | Netherlands | Luxembourg | |
Overarching principles | |||
Vision | Y | Y | Y/N |
Objectives | Y | Y | Y |
Scope | Y | Y | Y |
Timeline | Y | Y | Y |
Comprehensive approach & tailored priorities | Y | Y | Y/N |
Inclusiveness | Y | Y | Y |
Economic and social prosperity | Y | Y | Y |
Fundamental human rights | Y | Y | Y |
Risk management and resilience | Y/N | Y/N | Y/N |
An appropriate set of policy instruments | Y | Y | Y |
Clear leadership, roles and resource allocation | Y/N | Y | Y/N |
Trust environment | Y | Y | Y |
Risk management in national cybersecurity | |||
Conduct a cyber threat assessment and align policies with the ever-expanding cyber threat landscape | Y | Y/N | Y/N |
Define a risk management approach | Y/N | Y/N | Y |
Identify a common methodology for managing cybersecurity risk | Y/N | Y/N | Y |
Develop sectoral cybersecurity risk profiles | N | Y/N | N |
Establish cybersecurity policies | Y | Y | Y |
Recent Comments