The processes and services that together make up the critical infrastructure form the foundation on which Dutch society operates. Examples include electricity, internet access, drinking water, and payment systems. The failure, disruption, or manipulation of these processes and services can have major consequences for the functioning of both the Dutch and European economies and societies. In extreme cases, such disruptions can even pose a threat to national security. That is why governments, organisations, and intelligence and security services work continuously together to protect our critical infrastructure.
Protecting critical processes
It is crucial to protect critical infrastructure against all types of threats. This task is becoming increasingly complex due to a changing and diverse threat landscape. Examples include terrorist attacks or cyberattacks, but also natural disasters, espionage, or foreign takeovers of Dutch critical providers.
In addition, the potential impact of threats is growing because critical processes are becoming more interconnected. A disruption in one critical process can quickly have major effects on other critical processes, on an entire sector, or even on national security. For instance, in the event of flooding, the failure of the power supply could impact parts of the internet, hospitals, and households.
The interconnectedness of critical infrastructure offers great advantages, such as opportunities for cooperation and information sharing. However, the interdependence of critical processes can also carry risks. That is why it is important to keep strengthening the resilience of the critical infrastructure as a whole. In doing so, we can turn our interconnectedness into a strength.
The assessment of whether a process or service is considered critical is made by the responsible ministry (policy department). This involves analysing whether a disruption, outage, or manipulation of a process or service could have consequences so severe that they may harm national security. Examples include causing significant economic damage, creating long-term environmental impacts, or severely affecting other vital processes.
Within these processes, one or more organisations – such as (private) companies, independent administrative bodies, and parts of the central government – play an important role in ensuring the continuity and resilience of the process. These organisations are referred to as critical providers. Vital providers are informed of this status by the policy department.
The current critical processes are:
|
Sector |
Critical Processes |
Responsible Ministry |
|
Energy |
Transport, distribution, production, regasification of gas onshore and offshore |
Ministry of Economic Affairs and Climate Policy |
|
Storage, transport, refining, and processing of crude oil and petroleum products | ||
|
Transport, distribution, and production of electricity onshore and offshore | ||
|
Telecommunications | Internet and data services |
Ministry of Economic Affairs and Climate Policy |
| Internet access and data traffic | ||
| Voice service and SMS | ||
| Positioning and timing |
Ministry of Infrastructure and Water Management | |
|
Transport |
Flight and aircraft handling |
Ministry of Infrastructure and Water Management |
| Shipping traffic handling | ||
|
Passenger and freight transport via (main) railway infrastructure | ||
|
Transport via the (main) road network | ||
|
Drinking water |
Drinking water supply | |
|
Water |
Water quantity control and management | |
|
Chemicals |
Large-scale production, processing, and/or storage of (petro)chemicals substances | |
|
Nuclear |
Storage, production, and processing of nuclear material | |
|
Finance |
Point-of-sale payment transactions |
Ministry of Finance |
|
Mass electronic payment transactions | ||
|
High-value interbank payment transactions | ||
|
Securities transactions | ||
|
Government |
Basic registrations of persons and organisations |
Ministry of the Interior and Kingdom Relations |
|
Interconnectivity (transactions infrastructure for information from basic registrations) | ||
|
Electronic messaging and information provision to citizens | ||
|
Public Order and Safety |
Communication with and between emergency services via 112 and C2000 |
Ministry of Justice and Security |
|
Inzet politie | ||
|
Defence |
Defence deployment |
Ministry of Defence |
European Critical Entities Resilience & Network and Information Security Directive
Governments, organisations (both public and private), and intelligence and security services work continuously to protect our critical infrastructure and strengthen resilience. The Aanpak Vitaal (“Policy Approach to Critical Infrastructure”) focuses on enhancing the resilience of critical infrastructure by maintaining continuous insight into potential threats, taking appropriate and proportionate measures, and fostering close cooperation among all relevant parties.
This approach will be formally established in law through the implementation of the European Critical Entities Resilience (CER) Directive into national legislation: the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten, Wwke). Organisations that will fall under the scope of the Wwke will first be formally designated as critical entities by the responsible ministry and informed accordingly.
In parallel, for digital resilience, the implementation of the Network and Information Security Directive (NIS2 Directive) is underway, which will be transposed into national law as the Cybersecurity Act (Cyberbeveiligingswet, Cbw). The Dutch government calls on organisations to prepare for the entry into force of these laws and their underlying regulations.