Risk, Resilience & Compliance

Government and Public Sector

Financial Services

Clarity on GDPR roles: when to use a processor agreement and when it’s unnecessary

Everyone needs a data processing agreement!

People talking in a meeting at a desk with laptops

“Better safe than sorry,” “better too many than too few,” and “fire is worse.” All true, but still not a reason to start signing agreements unnecessarily. Yet this is exactly what I now see happening on a large scale. Organizations that share data are massively sending each other data processing agreements. And not just to each other: their own employees, the Tax Authority, and the company doctor are also being dragged into it. Please don’t forget to fill in annexes 1 through 4 yourself, in the name of the GDPR. No processing without a processing agreement. Or is there? Let’s start at the beginning.

Dorus-Jan ten Boom

Netherlands

GDPR roles: when to use a processor agreement and when it’s unnecessary

Organizational

Striking the balance between compliance and responsiveness

Target Operating Models

Green mountains with blue sky

In today’s highly regulated industries — from finance to pharmaceuticals to public services — organizations face a delicate balancing act. They must operate with stability, precision, and predictability, ensuring full compliance with evolving regulatory requirements, while also staying responsive to shifting customer expectations, competitive pressure and changes in legislation. Designing and implementing an effective operating model that enables an organization to tackle both these sides can be challenging. 
There are many reasons why organizations in a highly regulated industry find it challenging to develop an effective and long-term operating model that strikes the balance between responsiveness and operational stability. Highberg has identified a set of key factors that, in our experience have a strong impact on achieving this golden balance: complex regulations and compliance, siloed organizational designs, and lastly, a risk-averse culture and mindset.

Valerie Gögel

Target Operating Model in a highly regulated environment: Striking the balance between compliance and responsiveness

Technology and Telecommunications

Top 5 trends in cybersecurity in 2025

"Turbulent times, unforeseen effects" was the title of the Cybersecurity Report Netherlands 2024, and it was not without reason. The past year has shown how vulnerable our digital world can be. A faulty software update led to the cancellation of over four thousand and two hundred flights worldwide, public transport came to a halt, and hospitals had to temporarily close their doors. Until that day, most people had never heard of Crowdstrike. Yet a small mistake in this software had a huge impact. 
Fortunately, progress has also been made in strengthening cyber resilience: from improved collaboration between public and private sectors to innovations in AI-driven security. A lot is bound to happen in the world of cybersecurity in 2025 as well. Key trends will shape cybersecurity in 2025.

Veroniek Binkhorst

Digital

Striking a balance between security and privacy

Ethics and Zero Trust

Ethics and Zero Trust: Striking a balance between security and privacy

In the modern digital world, organisations are increasingly dependent on technology to protect their data and systems from increasingly sophisticated threats. To deal with this threat, an approach has been developed that has received a lot of attention in recent years: Zero Trust. This approach to information security is based on the principle that organisations do not automatically trust any part of the network, or the user. While Zero Trust can be an effective way to protect organisations, it also raises ethical questions regarding privacy and trust. In this article, we will explore the ethical implications of Zero Trust and how to strike a balance between security and privacy.

Martijn Hunsche

Strategy & Change

Eight Things You Need to Know About NIS2

The European Union (EU) is deeply concerned about the cybersecurity of organizations within vital sectors. The EU has introduced the Network and Information Security 2 Directive (hereinafter: NIS2) to enhance the cyber resilience of these organizations. Organizations within vital sectors are obligated to comply with NIS2 from October 18, 2024. Organizations belong to the vital sector when their service provision (temporarily) disrupts and has a significant impact on the economy and society.
In this Insight, you will read about the eight things you absolutely need to know about NIS2.

Nino van Leeuwen

Shankar Sahtie

Data & AI

Most important obligations in the AI Act: how to comply now?

Break through in regulation of AI: The AI Act

This text is translated from Dutch with the help of AI - On December 8, 2023, the European Union reached a preliminary political agreement on the Artificial Intelligence Regulation (hereafter referred to as the AI Act). The final text is formal approved by the European Parliament. 20 days after official publication the AI Act will enter into force. This landmark legislation marks the EU's first step towards regulating artificial intelligence, targeting developers, distributors, and users of AI systems, including those systems used for predictions, classifications, and analyses.
The potential impact on governments and businesses deploying AI systems is significant. In this insight, we'll walk you through the key obligations, how they affect your organization, and proactive steps you can take to ensure compliance.

Sabine Steenwinkel-den Daas

Germany

France

Discover the importance of data subject rights under the GDPR

Why the rights of data subjects are important

Waarom de rechten van betrokkenen onder de AVG zo belangrijk zijn

In today's digital world, personal data is everywhere. The General Data Protection Regulation (GDPR) grants individuals specific rights regarding their personal data. But why are these rights so important, even if people rarely actively use them?

Frank van Vonderen

Why the rights of data subjects under the GDPR are so important?

Discover the crucial privacy requirements to consider when selecting a SaaS provider

Privacy requirements for a SaaS supplier

Essentiële privacy eisen voor het kiezen van een Saa S leverancier

Choosing a SaaS provider is a decision that goes beyond just functionality and price. In a world where data is one of the most valuable assets of an organization, privacy and data protection are becoming increasingly important. But what are the key privacy requirements that a SaaS provider must meet?

Essential privacy requirements for choosing a SaaS supplier

Privacy by Design: protection at the heart of algorithms

Is Privacy by Design important in algorithms?

Privacy by Design: Protection at the heart of algorithms

What is Privacy by Design?

Privacy by Design is a strategy that focuses on integrating privacy protection into technological products and systems from the outset. This approach means that privacy is a fundamental part of the design process, rather than an addition or adjustment made afterwards.

How can organizations make privacy by design concrete and actionable?

Het concreet maken van Privacy by Design

Making Privacy by Design Concrete: Practical Steps for Implementation

In today's digital age, where data is ubiquitous and privacy concerns are at the forefront, incorporating privacy by design principles into the development of products and services is paramount. Privacy by design refers to the practice of considering privacy and data protection from the outset of the design process, rather than as an afterthought. But how can organizations make privacy by design concrete and actionable?

Learn how your organization must act in the event of a data breach, under the GDPR

Navigating a data breach: step-by-step

A data breach is like an unexpected storm in the world of data protection. It can happen to anyone, but rest assured: the GDPR offers an umbrella in this storm. Step-by-step guidance helps organizations manage a data breach according to the GDPR, so your organization can quickly become dry and safe again.

Organizations are required to keep such a register, what are the benefits?

Benefits of register of processing operations

What is a Record of Processing Activities (RoPA)?

What is a Record of Processing Activities (RoPA)? 
A Record of Processing Activities is a detailed overview in which organizations document how personal data is processed. This includes information about the types of data collected, the purpose of the processing, with whom the data is shared, and how it is secured. According to the GDPR (General Data Protection Regulation), organizations are required to maintain such a record.

Benefits of a register of processing operations under the GDPR

Are your actions complying with the GDPR? This guide will help you navigate the GDPR

How to know if it's allowed under the GDPR?

How to know if something is allowed under the GDPR

Since its introduction in 2018, the General Data Protection Regulation (GDPR) has brought about many changes in how companies handle personal data. However, understanding the GDPR can be challenging, and it is often not immediately clear whether certain actions are allowed. A clear explanation is provided below on how to determine if your practices are in line with the GDPR.

How to know if something is allowed under the GDPR: a practical tool

Having a DPO is essential to comply with the General Data Protection Regulation (GDPR)

How to find a DPO that fits your organization

Hoe vind je een Functionaris Gegevensbescherming (FG) die perfect bij je organisatie past

In an era where data protection and privacy are becoming increasingly important, finding a suitable Data Protection Officer (DPO) becomes a crucial task for many organizations. Whether it is a large corporation, an SME, or a non-profit organization, having a competent DPO is essential to comply with the General Data Protection Regulation (GDPR). But how do you find a DPO who fits perfectly with the needs and culture of your organization? Here are some tips.

How to find a Data Protection Officer (DPO) that fits your organization perfectly

Creating a data transfer impact assessment: a step-by-step guide

The importance of a DTIA

Hoe voer je een DTIA uit

In the era of globalization and digital expansion, data is continuously sent around the world. As a result, a Data Transfer Impact Assessment (DTIA) has become essential. This assessment helps organizations evaluate the risks and compliance requirements associated with transferring personal data across borders. A step-by-step process can help create an effective DTIA.

How do you conduct a DTIA?

How policymakers can make ethical and measurable trade-offs when using AI and algorithms

The Importance of an Ethical Framework

AI and algorithms are transforming our lives, but they also bring ethical challenges. How can AI be fair, transparent and accountable? Establishing an ethical framework for policymakers and the public provides steps and criteria for ethical considerations in the world of AI.

When is protection truly effective? How can you measure it?

Status information Security & Privacy Policy

How Effective Is Your Information Security and Privacy Policy? Measure It!

In today's increasingly digital world, effective information protection is a pressing concern. It's common to discuss information security and privacy, but when is protection truly effective? How can you measure it? Often, we measure that we are doing the right things (compliance), but not whether data is effectively protected. However, in practice, the latter is the most crucial aspect. After all, you do these things to prevent data breaches or information security incidents. 
Highberg uses the following seven best practices to measure the effectiveness of information security and privacy policies, with a significant role for data.

Marlijn Mulder

The question is not whether there will be casualties as a result of a cyberattack but when

Vulnerability SCADA to Cybersecurity Attacks

Vulnerability of SCADA Systems to Cybersecurity Attacks

Many different organizations and companies use SCADA/ICS (Supervisory Control and Data Acquisition/Industrial Control Systems) systems in various ways in their primary (production) processes or products. This includes manufacturing companies, control of bridges and locks, electric cars, equipment in intensive care units, as well as pacemakers and wireless insulin pumps. IoT (internet of things) is also playing an increasingly significant role in this context.

Koos van der Spek

Is a new trend emerging in the world of hackers: data leaks as a business model?

Data Leaks as a Business Model?

Cyber Extortion: Data Leaks as a Business Model?

Is a new trend emerging in the world of hackers: data leaks as a business model? With the worst of the GDPR (General Data Protection Regulation) storm settling down and the era of "can't do it, it's against GDPR" hopefully behind us, hackers are discovering a new source of income: fear of fines.

Bart Giesbers

Where lies the Ownership of Risks and Measures in Information Security?

Ownership of Risks in Information Security

Information security is everyone's responsibility! Most people who have ever been an audience member for a presentation on this subject have heard the above statement at some point. It's a true statement but one that remains somewhat cryptic in practice for many.

Steven Debets

Where lies the ownership of risks and measures in information security?

Other organizations have realized that it would have been handy if there had been a BCP.

Questions Your BCP Should Answer

Over the past few weeks, many organizations have been able to put their business continuity plans (BCP) into practice. Other organizations have realized that it would have been handy if there had been a BCP. Which category does your organization fall into? In any case, we've all been busy brainstorming scenarios and gathering data to gain control over the things coming our way.

We've selected five measures that you should take to enhance your cyber resilience.

Five Measures to Increase Cybersecurity

Five Essential Measures to Increase Cybersecurity and Cyber Resilience

Companies and governments will need to pay much more attention to cyber resilience to prevent serious damage in the future.

Cyber incidents are having an increasingly significant impact: Reduce this response time.

Cyber Crisis Management: Joint Responsibility

Cyber Crisis Management: A Joint Responsibility

In two-thirds of organizations, it takes at least two hours to take action after discovering a cyber incident. For one-fifth of organizations, it takes more than four hours. This information comes from the international study Cyber Resilience 2016 by the Business Continuity Institute. Considering that cyber incidents are having an increasingly significant impact, it is essential to reduce this response time. But what causes so much time to be lost?

Increasingly concrete threats posed by the digitally interconnected world.

Cloud Strategy & Security: Collaboration?

Cloud Strategy and Security: Seeking Collaboration

Cybersecurity is the central theme of this year's Business Continuity Awareness Week, and it's no wonder. Individuals and businesses are feeling more vulnerable than ever due to the increasingly concrete threats posed by the digitally interconnected world.

Part 2 addresses the disadvantages, risks, and possible next steps.

Digital Euro: A Blessing or a Curse? Part 2

The Digital Euro: A Blessing or a Curse? Part 2 – Disadvantages, Dangers, and Next Steps

This is Part 2 of a two-part series of articles on the digital euro. Part 1 discussed the background and emergence of the digital euro and its potential advantages (you can read Part 1 here). Part 2 addresses the disadvantages, risks, and possible next steps.

Paul Helmich

This part covers the background and rise of the digital euro and its potential benefits.

The Digital Euro: Blessing or Curse? Part 1

The Digital Euro: Blessing or Curse? Part 1 – Background, Rise, and Benefits

This is Part 1 in a series of 2 articles about the digital euro. This part covers the background and rise of the digital euro and its potential benefits. Part 2 discusses the drawbacks, risks, and possible next steps (you can read Part 2 here).

In this blog, you will learn what you absolutely need to know about DORA.

Seven Things You Need to Know About DORA

The European Union (EU) is deeply concerned about IT risks and cybersecurity in financial sector organizations. They respond with the Digital Operational Resilience Act (DORA) to the increasing digitization within the financial sector and the growing threats from (cyber)criminal organizations and hostile powers.

How do we address the ongoing vulnerability of these systems?

Security of SCADA: Which Standard to Choose?

The Security of SCADA: Which Standard to Choose?

Recently, the results of a study by the University of Twente on the security of Dutch SCADA systems were presented. The research once again revealed that the security of these systems is far from adequate. Hundreds of components of SCADA systems with direct connections to the internet were found, which is a security risk. The question is, how do we address the ongoing vulnerability of these systems?

Floris Baauw

It is interesting to note that hackers are increasingly targeting the medical sector.

Security in the Biomedical Sector

Is There Also Attention to Security in the Biomedical Sector?

In January of this year, documents related to the Pfizer/BioNTech vaccine were published by hackers. These documents were obtained from the European Medicines Agency (EMA) while it was in the process of approving the Pfizer/BioNTech vaccine for the European market. Various media outlets subsequently claimed that a state actor was behind the hack. Whether it was a state actor, a hacking collective or a lone wolf, it is interesting to note that hackers are increasingly targeting the medical sector.

Part two delves deeper into the reporting obligations under the Cybersecurity Act

Cybersecurity Act Focuses on BCM - Part 2

The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 2)

The Network and Information Systems Security Act (Wbni), commonly known as the Cybersecurity Act, aims to enhance digital security in the Netherlands. This Cybersecurity Act is based on the European Union's Network and Information Security Directive (NIS Directive), which encourages member states to improve their digital resilience and collaborate more effectively. The new legislation introduces reporting obligations that organizations must understand and implement. This part delves deeper into the reporting obligations under the Cybersecurity Act.

Cybersecurity Act Focuses on BCM - Part 1

The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 1)

The Network and Information Systems Security Act (Wbni), commonly known as the Cybersecurity Act, aims to enhance digital security in the Netherlands. This Cybersecurity Act is based on the European Union's Network and Information Security Directive (NIS Directive), which encourages member states to improve their digital resilience and collaborate more effectively.

Cybercriminals deliberately targeting hospitals that are combating the coronavirus

Healthcare institutions, beware of ransomware

Hospitals and other healthcare institutions, beware of ransomware!

While the entire Netherlands stands in support of healthcare during these challenging times, there are unfortunately individuals who want to take advantage of the situation. Cybercriminals are deliberately targeting hospitals that are tirelessly combating the coronavirus. They are counting on hospitals having less focus on their information security during these busy times, making them vulnerable.

Many crisis plans or business continuity plans stated: teams should exercise annually.

Annual Drills: What a Nonsense!

In many crises plans or business continuity plans, it is stated that teams should exercise annually. Some organizations do this diligently, either due to a strong intrinsic belief in the importance of regular practice or a good routine. However, there are instances when such exercises become an eccentric motivation, as they might be carried out because the regulator, safety authorities, or adherence to a framework mandates it.

The importance of SCADA cybersecurity for company executives and plant managers

The Importance of SCADA Cybersecurity

SCADA cybersecurity is crucial for company executives and plant managers. What aspects are crucial for them when it comes to SCADA cybersecurity?

Allocating Costs Correctly

The ROI of Business Continuity Management

The ROI of Business Continuity Management: Allocating Costs Correctly

It is Business Continuity Awareness Week (BCAW). Every year, the Business Continuity Institute organizes activities worldwide to promote business continuity management (BCM). This year's theme is return on investment. The message is clear: investing in BCM pays off. The benefits include increasing the organization's resilience, safeguarding a solid reputation, and achieving cost advantages. However, many organizations are still hesitant to invest time and money in BCM. My impression is that this hesitation is also caused by a too broad definition of the field: what does your money really go into when talking about BCM? Two points need clarification.

How is the security and privacy?

Which online meeting tool is right?

Which Online Meeting Tool is Right for Your Organization?

The online "meeting jungle" has been a reality for quite some time, and it appears it will remain so for the foreseeable future. Much has changed in the market recently. This update provides a comparison of the "leader" and "challenger" tools according to Gartner, as well as an interesting outsider. The comparison also includes a table with the key features of the discussed meeting tools.

Which online meeting tool is right for your organization?

Strengthen the governance of the digital government

IT-report and IT Audit Statement

it-report-and-it-audit-statement-strengthen-the-governance-of-the-digital-government

NOREA, the professional association of IT auditors, is working on an IT Audit Statement that can assess the cyber resilience of companies. This statement may be required in the future when companies, for example, apply for credit from a bank. Our lead IT auditor, Joep Janssen, is closely involved in this initiative. He explains that such a report and statement are also valuable for the government.

drs. Joep Janssen RE MIM

IT-report and IT Audit Statement strengthen the governance of the digital government

Digital Strategy & Execution

A Highberg customer story: New view on network and telecom infrastructure of Schiphol

Schiphol network and telecom infrastructure

Schiphol Telematics (ST) is the independent telecom operator mainly for aviation companies at and around Schiphol Airport. ST manages an extensive network of cables and connections. The network consists of more than 102,000 cables and 1,700,000 splices, connected via 224,000 pieces of equipment, spread over more than 8,200 locations at Schiphol.

Gregor Hendrikse

New view on network and telecom infrastructure of Schiphol

Declining trend on the public business case: Think before you begin no longer necessary?

Think before you begin no longer necessary?

Society is changing faster and faster, as we all see around us. Is your organization changing fast enough? Is the technical basis for this change in place? Is digitization the solution to my employee shortage? Making choices is necessary, not everything can be done at once, how do I ensure a successful digital transformation? Large long-term transformations in the public sector have a low success rate or are not always successful. From experience, we know how digital transformation can succeed for your organization. Ed van Doorn and Joeri Olierook highlight some findings based on AcICT's advice in recent years. Remarkably, in the past year, the focus on the risk aspect of business cases has decreased and the number of findings on good procurement practices has increased. How do we explain this from our digital transformation practice?

Ed van Doorn

Joeri Olierook

What does Wegiz mean for healthcare providers?

Electronic Data Exchange in Healthcare Act

Wat betekent de Wet elektronische gegevensuitwisseling in de zorg Wegiz voor zorgaanbieders

The Electronic Data Exchange in Healthcare Act (the Wegiz) requires healthcare providers to exchange data electronically from now on. In this way, care is provided to the patient faster and more efficiently. On April 18, 2023, the bill for the Wegiz was unanimously passed by the Senate. Since the law will enter into force on July 1, 2023, the most important questions about the Wegiz will be answered below.

Justine de Boer

What does the Electronic Data Exchange in Healthcare Act (Wegiz) mean for healthcare providers?

The promising privacy standard

Five questions and answers about ISO 27701

Five questions and answers about ISO 27701 the promising privacy standard

In August 2019, ISO 27701 was published. An international standard for privacy management. That sounds promising. Can we now finally get ourselves certified for the GDPR? Actually, the answer to that question is both "yes" and "no". That is not a clear answer, so that requires more explanation.

Martin Zinke

Five questions and answers about ISO 27701, the promising privacy standard

Six Things You Need to Know About the DPO under the PDA

What To Know About the DPO under the PDA

The Police Data Act (PDA) is a privacy law, much like the GDPR, but with some distinct differences. The PDA also introduces the role of a Data Protection Officer (DPO), which differs in certain aspects from the DPO role under the GDPR. Many misunderstandings exist about this so-called PDA-DPO. Below are six key points to know about the PDA-DPO.

Steven Kant

A solution for all your privacy issues!

Privacy by Design

By consistently applying privacy by design, organizations enhance the quality of their data protection and reduce its associated costs. Additionally, employees will become more conscious in handling personal data, and as an organization, you can better justify your choices regarding personal data. In mid-April 2020, the CoronaMelder app was launched. The app, in short, informed people when they had been near someone who tested positive for COVID-19, aiming to address the at that point growing number of infections in the Netherlands. 
Half of the Netherlands was concerned that the government might get access to information about citizens' whereabouts. Fortunately, the app's creators had thought this through: when designing the CoronaMelder app, it was essential that the app be privacy-friendly. With input from numerous privacy specialists, the CoronaMelder app was developed from the outset to offer the most privacy-friendly notification app. An excellent example of effectively applying the privacy by design principle.

How do you conduct a DTIA?

The importance of a DTIA

It is wise to follow these steps when conducting a DTIA

Need help conducting a DTIA? Contact us

Related insights