How to prepare for the Dutch coalition agreement: Education, training and practice

The coalition agreement proposed by D66, VVD, and CDA reiterates a now familiar message: the Netherlands must actively prepare for increasingly sophisticated digital threats. These threats come from both digital criminals, such as ransomware groups seeking financial gain, and hybrid geopolitical threats linked to international tensions. The parties do not place the responsibility for preparing for these threats solely with the national government and critical infrastructure such as our water and power supplies; commercial companies, SMEs, and regional (security) organizations must also prepare for these risks. In doing so, the coalition parties are following a line previously set at European level with the NIS2 Directive, which will be translated into the Cybersecurity Act in the Netherlands.

Specifically, the coalition agreement states the following: 
“Cyberattacks, digital espionage, and disinformation pose direct threats to our economy, democracy, and national security. The threat comes from state actors, cybercriminals, and large-scale influence campaigns, and is becoming faster, smarter, and more scalable thanks to AI. That is why vital organizations and the government must be demonstrably cyber-resilient, so that we can prevent social disruption.”
and 
“We are opting for active preparation for large-scale digital attacks by conducting exercises with the government, SMEs, and vital sectors, by encouraging ethical hackers, and by facilitating the rapid and targeted exchange of threat information between the government and the business community.” (page 59)

The new coalition agreement therefore gives cyber resilience a clear direction: organizations must not only have plans on paper, but also actually practice their crisis response skills in the event of large-scale attacks. Although the Cybersecurity Act, which sets similar requirements, is not expected to come into force until the second quarter of 2026, the coalition emphasizes that organizations must take steps now.

The urgency stems from the increasing threats, but this topic is also important because without practice, an organization can never really know if it is prepared for a crisis. In practice, we see that many organizations have plans, but that employees are not trained and only discover where the problems lie during a crisis: unclear mandates, dependencies on suppliers, and incomplete decision-making because information is missing or not properly analyzed. With consistent practice, these potential problems can be identified in time, considered, and remedied where necessary, even before a crisis actually occurs.

This practical experience is also reflected in the sectoral exercises in which Bureau Veritas is involved. In the FLECS program for the offshore wind sector, for example, Exercise Windshield clearly demonstrated how dependent organizations are on each other and how quickly an incident can escalate throughout the chain. Participants discovered how difficult it is to maintain an overview when operational systems, suppliers, and regulators all demand attention at the same time, but also how valuable it is to encounter this in a training environment rather than in real life.

For many organizations, this is exactly the change that is needed: from paper planning to the constant improvement of crisis capabilities through education, training, and practice. This practice significantly helps teams, managers, and chain partners discover where they stand and how they can act more quickly when a crisis actually occurs. It also ensures that business continuity and crisis management can be guaranteed in a PDCA cycle. That is also the core of our vision at Bureau Veritas Cybersecurity. Education, training, and practice form a whole. Not separate sessions, but a continuous approach in which policy, crisis structure, and technical response reinforce each other. Our crisis services are aimed not at testing organizations on a one-off basis, but at bringing about real structural improvement, making it measurable and thereby strengthening cyber resilience.

The coalition agreement emphasizes that tackling cyber resilience is a joint task in which education, training, and practice are prerequisites for improvement.