Strategy & Change

Risk, Resilience & Compliance

Eight Things You Need to Know About NIS2

The European Union (EU) is deeply concerned about the cybersecurity of organizations within vital sectors. The EU has introduced the Network and Information Security 2 Directive (hereinafter: NIS2) to enhance the cyber resilience of these organizations. Organizations within vital sectors are obligated to comply with NIS2 from October 18, 2024. Organizations belong to the vital sector when their service provision (temporarily) disrupts and has a significant impact on the economy and society.
In this Insight, you will read about the eight things you absolutely need to know about NIS2.

Nino van Leeuwen

Shankar Sahtie

Netherlands

Digital

Data & AI

Government and Public Sector

Most important obligations in the AI Act: how to comply now?

Break through in regulation of AI: The AI Act

This text is translated from Dutch with the help of AI - On December 8, 2023, the European Union reached a preliminary political agreement on the Artificial Intelligence Regulation (hereafter referred to as the AI Act). The final text is formal approved by the European Parliament. 20 days after official publication the AI Act will enter into force. This landmark legislation marks the EU's first step towards regulating artificial intelligence, targeting developers, distributors, and users of AI systems, including those systems used for predictions, classifications, and analyses.
The potential impact on governments and businesses deploying AI systems is significant. In this insight, we'll walk you through the key obligations, how they affect your organization, and proactive steps you can take to ensure compliance.

Sabine Steenwinkel-den Daas

Germany

France

Discover the importance of data subject rights under the GDPR

Why the rights of data subjects are important

Waarom de rechten van betrokkenen onder de AVG zo belangrijk zijn

In today's digital world, personal data is everywhere. The General Data Protection Regulation (GDPR) grants individuals specific rights regarding their personal data. But why are these rights so important, even if people rarely actively use them?

Frank van Vonderen

Why the rights of data subjects under the GDPR are so important?

Discover the crucial privacy requirements to consider when selecting a SaaS provider

Privacy requirements for a SaaS supplier

Essentiële privacy eisen voor het kiezen van een Saa S leverancier

Choosing a SaaS provider is a decision that goes beyond just functionality and price. In a world where data is one of the most valuable assets of an organization, privacy and data protection are becoming increasingly important. But what are the key privacy requirements that a SaaS provider must meet?

Essential privacy requirements for choosing a SaaS supplier

Privacy by Design: protection at the heart of algorithms

Is Privacy by Design important in algorithms?

Privacy by Design: Protection at the heart of algorithms

What is Privacy by Design?

Privacy by Design is a strategy that focuses on integrating privacy protection into technological products and systems from the outset. This approach means that privacy is a fundamental part of the design process, rather than an addition or adjustment made afterwards.

How can organizations make privacy by design concrete and actionable?

Het concreet maken van Privacy by Design

Making Privacy by Design Concrete: Practical Steps for Implementation

In today's digital age, where data is ubiquitous and privacy concerns are at the forefront, incorporating privacy by design principles into the development of products and services is paramount. Privacy by design refers to the practice of considering privacy and data protection from the outset of the design process, rather than as an afterthought. But how can organizations make privacy by design concrete and actionable?

Learn how your organization must act in the event of a data breach, under the GDPR

Navigating a data breach: step-by-step

A data breach is like an unexpected storm in the world of data protection. It can happen to anyone, but rest assured: the GDPR offers an umbrella in this storm. This blog guides you step by step through the process of managing a data breach according to the GDPR, so your organization can quickly become dry and safe again.

Organizations are required to keep such a register, what are the benefits?

Benefits of register of processing operations

What is a Record of Processing Activities (RoPA)?

What is a Record of Processing Activities (RoPA)?


A Record of Processing Activities is a detailed overview in which organizations document how personal data is processed. This includes information about the types of data collected, the purpose of the processing, with whom the data is shared, and how it is secured. According to the GDPR (General Data Protection Regulation), organizations are required to maintain such a record.

Benefits of a register of processing operations under the GDPR

Are your actions complying with the GDPR? This guide will help you navigate the GDPR

How to know if it's allowed under the GDPR?

How to know if something is allowed under the GDPR

Since its introduction in 2018, the General Data Protection Regulation (GDPR) has brought about many changes in how companies handle personal data. However, understanding the GDPR can be challenging, and it is often not immediately clear whether certain actions are allowed. This blog post provides a clear explanation of how you can determine if your practices are in line with the GDPR.

How to know if something is allowed under the GDPR: a practical tool

Having a DPO is essential to comply with the General Data Protection Regulation (GDPR)

How to find a DPO that fits your organization

Hoe vind je een Functionaris Gegevensbescherming (FG) die perfect bij je organisatie past

In an era where data protection and privacy are becoming increasingly important, finding a suitable Data Protection Officer (DPO) becomes a crucial task for many organizations. Whether it's a large corporation, an SME, or a non-profit organization, having a competent DPO is essential to comply with the General Data Protection Regulation (GDPR). But how do you find a DPO who fits perfectly with the needs and culture of your organization? Here are some tips.

How to find a Data Protection Officer (DPO) that fits your organization perfectly

Creating a data transfer impact assessment: a step-by-step guide

The importance of a DTIA

Hoe voer je een DTIA uit

In the era of globalization and digital expansion, data is continuously sent around the world. As a result, a Data Transfer Impact Assessment (DTIA) has become essential. This assessment helps organizations evaluate the risks and compliance requirements associated with transferring personal data across borders. In this blog, we will take you step by step through the process of creating an effective DTIA.

How do you conduct a DTIA?

How policymakers can make ethical and measurable trade-offs when using AI and algorithms

The Importance of an Ethical Framework

Welcome to the Dynamic World of AI and Algorithms! These technologies are transforming our lives, but they also bring ethical challenges. How do we ensure that AI is fair, transparent, and accountable? We focus on establishing an ethical framework for policymakers and the general public, with steps and criteria for ethical considerations in the world of AI.

When is protection truly effective? How can you measure it?

Status information Security & Privacy Policy

How Effective Is Your Information Security and Privacy Policy? Measure It!

In today's increasingly digital world, effective information protection is a pressing concern. It's common to discuss information security and privacy, but when is protection truly effective? How can you measure it? Often, we measure that we are doing the right things (compliance), but not whether data is effectively protected. However, in practice, the latter is the most crucial aspect. After all, you do these things to prevent data breaches or information security incidents.

Marlijn Mulder

The question is not whether there will be casualties as a result of a cyberattack but when

Vulnerability SCADA to Cybersecurity Attacks

Vulnerability of SCADA Systems to Cybersecurity Attacks

Many different organizations and companies use SCADA/ICS (Supervisory Control and Data Acquisition/Industrial Control Systems) systems in various ways in their primary (production) processes or products. This includes manufacturing companies, control of bridges and locks, electric cars, equipment in intensive care units, as well as pacemakers and wireless insulin pumps. IoT (Internet of Things) is also playing an increasingly significant role in this context.

Koos van der Spek

Is a new trend emerging in the world of hackers: data leaks as a business model?

Data Leaks as a Business Model?

Cyber Extortion: Data Leaks as a Business Model?

Is a new trend emerging in the world of hackers: data leaks as a business model? With the worst of the GDPR (General Data Protection Regulation) storm settling down and the era of "can't do it, it's against GDPR" hopefully behind us, hackers are discovering a new source of income: fear of fines.

Bart Giesbers

Where lies the Ownership of Risks and Measures in Information Security?

Ownership of Risks in Information Security

Information security is everyone's responsibility! Most people who have ever been an audience member for a presentation on this subject have heard the above statement at some point. It's a true statement but one that remains somewhat cryptic in practice for many.

Steven Debets

Other organizations have realized that it would have been handy if there had been a BCP.

Questions Your BCP Should Answer

Over the past few weeks, many organizations have been able to put their business continuity plans (BCP) into practice. Other organizations have realized that it would have been handy if there had been a BCP. Which category does your organization fall into? In any case, we've all been busy brainstorming scenarios and gathering data to gain control over the things coming our way.

We've selected five measures that you should take to enhance your cyber resilience.

Five Measures to Increase Cybersecurity

Five Essential Measures to Increase Cybersecurity and Cyber Resilience

Companies and governments will need to pay much more attention to cyber resilience to prevent serious damage in the future.

Organizational

Cyber incidents are having an increasingly significant impact: Reduce this response time.

Cyber Crisis Management: Joint Responsibility

Cyber Crisis Management: A Joint Responsibility

In two-thirds of organizations, it takes a minimum of two hours to take action after discovering a cyber incident. For one-fifth of organizations, it takes more than four hours. This information comes from the international study Cyber Resilience 2016 by the Business Continuity Institute. Considering that cyber incidents are having an increasingly significant impact, it's essential to reduce this response time. But what causes so much time to be lost?

Increasingly concrete threats posed by the digitally interconnected world.

Cloud Strategy & Security: Collaboration?

Cloud Strategy and Security: Seeking Collaboration

Cybersecurity is the central theme of this year's Business Continuity Awareness Week, and it's no wonder. Individuals and businesses are feeling more vulnerable than ever due to the increasingly concrete threats posed by the digitally interconnected world.

Part 2 addresses the disadvantages, risks, and possible next steps.

Digital Euro: A Blessing or a Curse? Part 2

The Digital Euro: A Blessing or a Curse? Part 2 – Disadvantages, Dangers, and Next Steps

This is Part 2 of a two-part series of articles on the digital euro. Part 1 discussed the background and emergence of the digital euro and its potential advantages (you can read Part 1 here). Part 2 addresses the disadvantages, risks, and possible next steps.

Paul Helmich

This part covers the background and rise of the digital euro and its potential benefits.

The Digital Euro: Blessing or Curse? Part 1

The Digital Euro: Blessing or Curse? Part 1 – Background, Rise, and Benefits

This is Part 1 in a series of 2 articles about the digital euro. This part covers the background and rise of the digital euro and its potential benefits. Part 2 discusses the drawbacks, risks, and possible next steps (you can read Part 2 here).

In this blog, you will learn what you absolutely need to know about DORA.

Seven Things You Need to Know About DORA

The European Union (EU) is deeply concerned about IT risks and cybersecurity in financial sector organizations. They respond with the Digital Operational Resilience Act (DORA) to the increasing digitization within the financial sector and the growing threats from (cyber)criminal organizations and hostile powers.

How do we address the ongoing vulnerability of these systems?

Security of SCADA: Which Standard to Choose?

The Security of SCADA: Which Standard to Choose?

Recently, the results of a study by the University of Twente on the security of Dutch SCADA systems were presented. The research once again revealed that the security of these systems is far from adequate. Hundreds of components of SCADA systems with direct connections to the internet were found, which is a security risk. The question is, how do we address the ongoing vulnerability of these systems?

Floris Baauw

It is interesting to note that hackers are increasingly targeting the medical sector.

Security in the Biomedical Sector

Is There Also Attention to Security in the Biomedical Sector?

In January of this year, documents related to the Pfizer/BioNTech vaccine were published by hackers. These documents were obtained from the European Medicines Agency (EMA) while it was in the process of approving the Pfizer/BioNTech vaccine for the European market. Various media outlets subsequently claimed that a state actor was behind the hack. Whether it was a state actor, a hacking collective, or a lone wolf, it is interesting to note that hackers are increasingly targeting the medical sector.

Part two delves deeper into the reporting obligations under the Cybersecurity Act

Cybersecurity Act Focuses on BCM - Part 2

The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 2)

The Network and Information Systems Security Act (Wbni), commonly known as the Cybersecurity Act, aims to enhance digital security in the Netherlands. This Cybersecurity Act is based on the European Union's Network and Information Security Directive (NIS Directive), which encourages member states to improve their digital resilience and collaborate more effectively. In this two-part series, we focus on this new legislation. In our previous blog, we discussed who this legislation applies to and what mandatory measures are required. Part two of our series delves deeper into the reporting obligations under the Cybersecurity Act.

The Network and Information Systems Security Act (Cybersecurity Act) (part 1)

Cybersecurity Act Focuses on BCM - Part 1

The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 1)

The Network and Information Systems Security Act (Wbni), commonly known as the Cybersecurity Act, aims to enhance digital security in the Netherlands. This Cybersecurity Act is based on the European Union's Network and Information Security Directive (NIS Directive), which encourages member states to improve their digital resilience and collaborate more effectively.

Cybercriminals deliberately targeting hospitals that are combating the coronavirus

Healthcare institutions, beware of ransomware

Hospitals and other healthcare institutions, beware of ransomware!

While the entire Netherlands stands in support of healthcare during these challenging times, there are unfortunately individuals who want to take advantage of the situation. We are seeing cybercriminals deliberately targeting hospitals that are tirelessly combating the coronavirus. They are counting on hospitals having less focus on their information security during these busy times, making them vulnerable.

Many crisis plans or business continuity plans stated: teams should exercise annually.

Annual Drills: What a Nonsense!

In many crisis plans or business continuity plans, it is stated that teams should exercise annually. Some organizations do this diligently, either due to a strong intrinsic belief in the importance of regular practice or a good routine. However, there are instances when such exercises become an eccentric motivation, as they might be carried out because the regulator, safety authorities, or adherence to a framework mandates it.

The importance of SCADA cybersecurity for company executives and plant managers

The Importance of SCADA Cybersecurity

In my previous blog, I mentioned that I would delve further into the various aspects of our "SCADA Cybersecurity Poster." In this blog, I will discuss the importance of SCADA cybersecurity for company executives and plant managers. What aspects are crucial for them when it comes to SCADA cybersecurity?

Allocating Costs Correctly

The ROI of Business Continuity Management

The ROI of Business Continuity Management: Allocating Costs Correctly

It's Business Continuity Awareness Week (BCAW). Every year, the Business Continuity Institute organizes activities worldwide to promote business continuity management (BCM). This year's theme is Return on Investment. The message is clear: investing in BCM pays off. The benefits include increasing the organization's resilience, safeguarding a solid reputation, and achieving cost advantages. However, many organizations are still hesitant to invest time and money in BCM. My impression is that this hesitation is also caused by a too broad definition of the field: what does your money really go into when talking about BCM? In this blog, I describe two points that need clarification.

How is the security and privacy?

Which online meeting tool is right?

Which Online Meeting Tool is Right for Your Organization?

The online "meeting jungle"... We've been dealing with it for quite a while now, and it seems we'll still need it for a while. A while ago, I wrote a blog about how to work securely from home. Meanwhile, a lot has changed in the market. Therefore, this blog provides an update on our previous research, including a comparison of the "leader" and "challenger" tools according to Gartner and an interesting outsider. The comparison also includes a handy table with the key features of the discussed meeting tools.

Strengthen the governance of the digital government

IT-report and IT Audit Statement

it-report-and-it-audit-statement-strengthen-the-governance-of-the-digital-government

NOREA, the professional association of IT auditors, is working on an IT Audit Statement that can assess the cyber resilience of companies. This statement may be required in the future when companies, for example, apply for credit from a bank. Our lead IT Auditor, Joep Janssen, is closely involved in this initiative. He explains that such a report and statement are also valuable for the government.

drs. Joep Janssen RE MIM

IT-report and IT Audit Statement strengthen the governance of the digital government

Digital Strategy & Execution

Technology and Telecommunications

A Highberg customer story: New view on network and telecom infrastructure of Schiphol

Schiphol network and telecom infrastructure

Schiphol Telematics (ST) is the independent telecom operator mainly for Aviation companies at and around Schiphol Airport. ST manages an extensive network of cables and connections. The network consists of over 102,000 cables and 1,700,000 splices, connected via 224,000 pieces of equipment, spread over more than 8,200 locations at Schiphol.

Gregor Hendrikse

New view on network and telecom infrastructure of Schiphol

Declining trend on the public business case: Think before you begin no longer necessary?

Think before you begin no longer necessary?

Society is changing faster and faster, as we all see around us. Is your organisation changing fast enough? Is the technical basis for this change in place? Is digitisation the solution to my employee shortage? Making choices is necessary, not everything can be done at once, how do I ensure a successful digital transformation? Large long-term transformations in the public sector have a low success rate or are not always successful. From experience, we know how digital transformation can succeed for your organisation. In this blog, Ed van Doorn and Joeri Olierook highlight some findings based on AcICT's advice in recent years. Remarkably, in the past year, the focus on the risk aspect business cases has decreased and the number of findings on good procurement practices has increased. How do we explain this from our digital transformation practice?

Ed van Doorn

Joeri Olierook

What does Wegiz mean for healthcare providers?

Electronic Data Exchange in Healthcare Act

Wat betekent de Wet elektronische gegevensuitwisseling in de zorg Wegiz voor zorgaanbieders

The Electronic Data Exchange in Healthcare Act (the Wegiz) requires healthcare providers to exchange data electronically from now on. In this way, care is provided to the patient faster and more efficiently. On April 18, 2023, the bill for the Wegiz was unanimously passed by the Senate. Since the law will enter into force on July 1, 2023, the most important questions about the Wegiz will be answered below.

Justine de Boer

What does the Electronic Data Exchange in Healthcare Act (Wegiz) mean for healthcare providers?

The promising privacy standard

Five questions and answers about ISO 27701

Five questions and answers about ISO 27701 the promising privacy standard

In August 2019, ISO27701 was published. An international standard for privacy management. That sounds promising. Can we now finally get ourselves certified for the GDPR? Actually, the answer to that question is both "yes" and "no". That is not a clear answer, so that requires more explanation.

Martin Zinke

Five questions and answers about ISO 27701, the promising privacy standard

Six Things You Need to Know About the DPO under the PDA

What To Know About the DPO under the PDA

The Police Data Act (PDA). A privacy law, much like the GDPR, but with some distinct differences. The PDA also introduces the role of a Data Protection Officer (DPO), which, however, differs in certain aspects from the DPO role under the GDPR. In my work, I frequently encounter misunderstandings about this so-called PDA-DPO. Below, I discuss 6 key points you should know about the PDA-DPO.

Steven Kant

A solution for all your privacy issues!

Privacy by Design

Privacy by Design A Solution for All Your Privacy Issues

By consistently applying privacy by design, organizations enhance the quality of their data protection and reduce its associated costs. Additionally, employees will become more conscious in handling personal data, and as an organization, you can better justify your choices regarding personal data. In mid-April 2020, the CoronaMelder app was launched. The app, in short, informed people when they've been near someone who tested positive for COVID-19, aiming to address the at that point growing number of infections in the Netherlands.
Half of the Netherlands was concerned that the government might get access to information of citizens' whereabouts. Fortunately, the app's creators had thought this through: when designing the CoronaMelder app, it was essential that the app be privacy-friendly. With input from numerous privacy specialists, the CoronaMelder app was developed from the outset to offer the most privacy-friendly notification app. An excellent example of effectively applying the privacy by design principle.

Laura Natrop

Privacy by Design: a solution for all your privacy issues!

The Data Protection Officer (DPO) is surrounded by many misconceptions.

Five myths about the data protection officer

The Data Protection Officer (DPO), formerly referred to as the Functionaris Gegevensbescherming (FG), is surrounded by many misconceptions. To clarify matters, we have compiled a top five list of common myths that we will debunk right away.

One of the important "control mechanisms" for GDPR compliance is data subjects.

Data subject rights: are you an open book?

Data subject rights are you an open book

One of the important "control mechanisms" for GDPR compliance is the fact that data subjects can practice certain rights. These rights not only ensure that data subjects remain in control of their personal data, but they also act as an important check for your organization. Can you respond adequately to a data subject's request? Do you have a quick overview of the personal data the data subject requests? Do you know which systems contain these personal data? In short, it’s time to be an open book!

Courtney Don

Not infrequently, I see battles between data scientists and privacy professionals.

Data and privacy professionals: unite!

Data and privacy professionals unite

Not infrequently, I see battles between data scientists and privacy professionals within organizations. And in these conflicts, the struggle isn't over traditional causes like land, religion, or honor, but rather over data minimization (how much data is needed), storage (how long to retain data), and legal basis (is this even permissible). With heated discussions, smokescreens, and rear-guard debates, they engage in combat. But in battles, there are rarely winners. Not in this fight either.

It's natural to ask that one question: "Are we now 100% compliant?"

100% Privacy compliance is not possible

100 Privacy compliance is not possible

Many entrepreneurs and executives shudder at the thought of the fines and liabilities associated with GDPR. So, it's natural to ask that one question: "Are we now 100% compliant?"

4 tips to prevent discrimination by algorithms

Preventing discrimination by algorithms

No discussion about algorithms goes by without the word 'discrimination' being mentioned. Understandably so, as there are now numerous unfortunate examples where people suffer greatly from decisions made based on algorithms. And this harm sometimes goes so far as to disrupt or destroy lives. That is, of course, unacceptable – but how can you maintain control over discrimination by algorithms? 
The bad news: discrimination is inherently linked to algorithms. Why? The original meaning of discrimination comes from Latin. To discriminate means to 'distinguish.' Only later was another meaning added to the word 'discrimination,' namely that someone is treated unequally based on discrimination.

Right of access includes the right to know the identity of recipients

The facts

Preliminary question to the Court

Considerations of the Court

More information?

Related insights