Cyber Security

Data & Cybersecurity Desk

Data & Cybersecurity Desk 1200 675 Ekelmans Advocaten

Privacy and cybersecurity advice

Data, both personal and business data, are your organisation’s crown jewels. It is important to use data commercially in the best possible way while at the same time complying with regulations AND securing your network and information systems. The lawyers at our Data & Cybersecurity Desk advise you on innovative use of data within the rules of data protection and ensuring cybersecurity in your business.


Your organisation processes personal data on a large scale. You need data for your primary processes and at the same time want to comply with all regulations around personal data protection. These two interests are sometimes difficult to reconcile.

In many processes, the use of (sensitive) personal data is indispensable for your own business operations, to provide a good service to your customers and to develop new products and services.

Expert advice on personal data protection
The legislation governing these processing operations is complex, especially when it comes to special personal data. You must comply with the strict obligations of the General Data Protection Regulation (AVG/GDPR) and the General Data Protection Regulation (UAVG) Implementation Act, sectoral regulations and your industry’s codes of conduct. Financial institutions, such as insurers, also have to deal with the Financial Supervision Act (Wft) and far-reaching Know Your Customer (KYC) obligations.

Even when applying innovative technological developments such as Artificial Intelligence (AI), digital identity, Self-Sovereign Identity (SSI) and synthetic data, your organisation has to deal with privacy rules and European agreements, such as, for example, the AI Act.

As an employer, you also have a responsibility to handle your staff’s data properly, for instance in case of screening or monitoring of your (prospective/ex-) employees.
The lawyers at our Data & Cybersecurity Desk will find the solution for you to make the best commercial use of personal data while safeguarding the privacy of those involved.

Personal data indispensable for service provision

Netwerk- en informatie-
systemen onmisbaar voor bedrijfsvoering


Digital transformation is leading to an expansion of cyber threats. The risk of a cyber attack is real, resulting in business downtime, financial loss and reputational damage.

There is also the risk that, in the event of a cyberattack, company data and personal data could end up in the wrong hands. Even if you already have your organisation well set up when it comes to information security and privacy, your organisation will run into complex questions. Especially now that you are facing a range of new legislative initiatives from the European Union, such as the Network and Information Security 2 Directive (NIS2), the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA).

These regulations bring far-reaching new obligations. Obligations that not only affect your organisation, but also make you personally liable as a director.

All-round legal advice on cybersecurity
Our cybersecurity experts are happy to think with you about the impact of cybersecurity on your operations and help you implement cybersecurity legislation in your organisation.

Among other things, we provide recommendations for implementing risk management measures and carrying out risk assessments within your company. We help you meet reporting requirements and provide assistance in cyber incidents. Our Data & Cybersecurity Desk provides all-round support that optimally safeguards the interests of both your organisation and you as a director.

Broad expertise: (inter)national knowledge network

The Data & Cybersecurity Desk has an extensive track record. Our clients include financial institutions, medical care providers, (health) insurers, fast food chains, leading industry organisations and large employers.

International network
Our membership of two international networks of law firms (Legalink and ILG) allows us to move quickly even on cross-border issues and connect you to experts abroad.

(In-house) presentations and customised workshops
Moreover, we are happy to share our knowledge. Besides providing concrete assistance, we can provide tailor-made (in-house) presentations for your organisation on various privacy and cyber issues and the possibilities of using innovative developments to optimise the rewards of your data use.

(Inter)national knowledge network

Heeft u een vraag of wilt u meer weten?

Neem dan gerust contact met ons op. Wij helpen u graag. Als u het contactformulier invult, dan bellen wij u terug. U kunt natuurlijk ook rechtstreeks contact opnemen met één van onze specialisten.

Privacy Desk

Team van specialisten

Our lawyers work with you within compact teams of specialists. They know your practice and have the expertise to think and advise you quickly and to the point.

NIS2 directive – Network and Information Security Directive 2

NIS2 directive – Network and Information Security Directive 2 525 400 Ekelmans Advocaten
Blog afbeelding (500 x 400 px) (22)
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes

The NIS2 directive will soon come into force in the Netherlands. It is the successor to NIS Directive and focuses on risks that threaten network and information systems, such as cyber security risks. Organisations covered by the NIS2 directive will have to comply with the duty of care and notification obligations from then on. In this blog, lawyer Anne-Mieke Dumoulin-Siemens discusses what the directive entails, what it means for your organisation and what preparations your organisation can already make.

Cyber security deserves attention

Companies are facing increasing digitalisation and cyber incidents. At EU level, cybersecurity challenges are being addressed with a range of new regulations. For instance, the NIS 2 Directive has been in force for some time. The Network and Information Security Directive 2 (NIS2) aims to improve the cyber security and digital resilience of organisations in EU member states. The NIS2 Directive contains minimum requirements and must be implemented in Dutch legislation by 17 October 2024 at the latest. From that date, sectors designated in the directive must comply with the obligations in the NIS2 directive as they will then be laid down in Dutch legislation.

NIS2 directive has wide scope of application

NIS2 directive applies to a wide range of sectors, such as healthcare, transport and energy providers. Supermarkets, water management companies and digital providers should also prepare for the obligations in the NIS2 directive. The NIS2 directive includes sectors of high criticality and other critical sectors. There are 11 sectors of high criticality: energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure, ICT services management, public administration and space. In addition, the NIS2 directive has seven other critical sectors: postal and courier services, waste management, chemical industry, food industry, manufacturing industry, digital providers, research. Organisations that fall under any of these sectors must implement risk management measures and comply with cybersecurity reporting requirements.

How do you know if your organisation is covered by the NIS2 directive?

The organisation must belong to one of the sectors of high criticality or other critical sectors. In addition, the size of the organisation is important and whether the organisation plays a key role in society. If it turns out that the NIS 2 directive applies, you need to consider whether your organisation is an ‘essential’ or ‘important’ organisation. The Dutch government has prepared an online self-assessment NIS 2 Self-assessment NL ( you may wish to use this self-assessment to determine whether the NIS 2 directive applies to your organisation.

What measures are we talking about?

In short, organisations should take appropriate technical, operational and organisational measures to improve their organisation’s cyber security and digital resilience. Organisations should identify cyber risks and adjust the security level of their network and information systems accordingly. For instance, large companies exposed to high risks should take more measures than a small business where the likelihood of an incident with high social and economic impact is small. Cyber security measures should include incident handling, back-up management, supply chain security, cyber hygiene, staff training, access policies and policies to measure the effectiveness of these measures.

What other obligations does the NIS 2 Directive impose?


The NIS 2 directive leaves the responsibility for cyber measures to the directors. The governing bodies of essential and important organisations must approve the security measures taken and oversee their implementation. Directors can be held personally liable for breaches of security obligations. Directors must undergo training to acquire sufficient knowledge to identify cyber risks and assess their consequences.

Reporting obligations/reporting obligation

Essential and important organisations must report without delay any incident that has a significant impact on the provision of its services. This could include incidents that cause or may cause serious operational disruption of services or financial losses to the organisation concerned. Consideration could also be given to incidents that cause or may cause significant material or financial damage to other (legal) persons. An initial notification must be made to the competent authorities within 24 hours, followed by an update no later than 48 hours after the initial notification. Note that reporting is also required if an incident may have significant consequences.

What preparations can organisations make in advance?

The Dutch government is in the process of transposing the NIS2 directive into Dutch law. A bill has not yet been published. At the moment, it is only clear which minimum requirements will have to be met, as these are apparent from the NIS2 directive.

Pending embedding in national legislation, the following steps could be taken:

  • Use the self-assessment NIS 2 Self-assessment NL ( to determine whether your organisation falls under the scope of the NIS2 directive.
  • Map to which extent the board meets its governance obligations.
  • Establish the quality of existing technical, operational and organisational security measures, including monitoring mechanisms.
  • Determine whether the organisation can comply with reporting requirements and notification obligations.

Questions or advice on the NIS2 Directive and implementation?

If you need further clarification on the governance obligations or if you have questions on the reporting obligations and notification requirements, please contact Anne-Mieke Dumoulin-Siemens.

Cyber security

Your organisation has a great deal of confidential data. That is not just personal data — increasing amounts of company information are now available electronically as well. All this data is extremely valuable; if it ended up in the wrong hands, this could lead to serious commercial and reputational damage. The lawyers at our Privacy Desk will gladly examine the impact of cyber security on your business operations with you.


We use cookies to make sure that our website functions smoothly. If you continue to use the website, we assume that you consent to the cookies.