GENERAL
Richard van Buuren, Mart Marconi, Jacqueline van der Wielen, Eddy Esselink and Diederik van Batenburg (online)
Cybersecurity legislation calls for action
Cyberattacks can disrupt production, interrupt supply chains and, in extreme cases, threaten food security. During a joint webinar organised by MVO, NOFOTA, The Royal Dutch Grain and Feed Trade Association and the European Groundnut Association (EGA), companies from across the sector received practical guidance on preparing for the Dutch Cybersecurity Act (Cbw), the Netherlands' implementation of the European NIS2 Directive. Speakers from the Netherlands Food and Consumer Product Safety Authority (NVWA), the National Cyber Security Centre (NCSC) and FrieslandCampina shared both the legal requirements of the new legislation and practical experiences from operations.
Following a welcome by Eddy Esselink (MVO), the webinar was opened by moderator Richard van Buuren of the Netherlands Food and Consumer Product Safety Authority (NVWA), who highlighted several cyberattacks that had disrupted production processes and supply chains. According to Van Buuren, these incidents demonstrate that cybersecurity is no longer solely an IT issue. Within the food supply chain in particular, cyber incidents can have far-reaching consequences for production, security of supply and, ultimately, the availability of food.
Image 1: In 2025, the Norwegian dam at Lake Risevatnet was hacked, allowing attackers to open a discharge valve and release more than 7 million litres of water over a four-hour period.
Van Buuren emphasised that cyber incidents are not only caused by sophisticated hackers. Phishing emails, stolen passwords, unsecured remote access and outdated systems can all provide an entry point for attackers. Because many manufacturing companies rely heavily on automated production processes and operational technology (OT), even a relatively minor incident can have major consequences for day-to-day operations.
NCSC support
Mart Marconi of the National Cyber Security Centre (NCSC) outlined the support available to organisations. Through the MijnNCSC portal, organisations can register, monitor vulnerabilities, report incidents and access a wide range of resources, including threat intelligence reports and security advisories. The NCSC also assists organisations during cyber incidents by providing technical analysis, facilitating information sharing and coordinating response efforts.
According to Marconi, organisations should not wait until an incident occurs before taking action. Instead, they should make use of the tools and information already available. Even organisations that do not fall within the scope of the Dutch Cybersecurity Act can benefit from many of the NCSC's knowledge products. Regularly monitoring security advisories and vulnerability notifications can help organisations identify risks at an early stage and take appropriate action before problems arise.
Image 2: The mission of NCSC
Focusing on cybersecurity maturity
On behalf of the Netherlands Food and Consumer Product Safety Authority (NVWA), Jacqueline van der Wielen outlined the regulator's approach to future supervision. The NVWA regards cybersecurity as an essential component of food security and aims to support organisations in improving their level of cybersecurity maturity. Initially, the emphasis will be on helping companies gain insight into their current capabilities and identify areas for improvement. Particular attention will be paid to governance, risk management and incident response. Van der Wielen also highlighted the NVWA's self-assessment pilot, which enables organisations to evaluate their preparedness for the new legislation.
She further explained that the various Dutch supervisory authorities responsible for implementing the Dutch Cybersecurity Act are working closely together to ensure a coordinated approach. Similar cooperation is also taking place at European level, where regulators are sharing knowledge and practical experience with the aim of achieving greater consistency across Member States.
From compliance to resilience
Diederik van Batenburg of FrieslandCampina offered practical insights into how the company is preparing for the new requirements. His key message was that organisations should not view cybersecurity as a one-off compliance exercise, but as an ongoing effort to build organisational resilience.
FrieslandCampina adopted a three-step approach: first establishing effective governance, then mapping critical business processes and systems, and finally implementing targeted improvement measures. The company found that cybersecurity can only be successfully embedded when senior management, business units and IT teams all share responsibility.
Image 3: FrieslandCampina's three-step approach to cybersecurity.
An important lesson from FrieslandCampina's experience is that organisations often focus immediately on technical measures, whereas the logical starting point should be to identify their critical business processes. Which processes must continue to operate under all circumstances? Which systems support those processes? And what would be the impact on customers, suppliers or production if they were to fail? Answering these questions helps organisations set priorities and target investments where they will have the greatest impact.
Van Batenburg also stressed that cybersecurity can only be successfully embedded when senior management and business units are actively involved. Without clear ownership and leadership, cybersecurity too often remains confined to the IT department, even though the consequences of cyber incidents affect the entire organisation.
Cyber exercises remain underused
One of the webinar's most striking poll results was that almost two-thirds of participants had never conducted a cyber incident exercise. The speakers highlighted this as an important area for improvement.
A cyber exercise does not need to be complex. Simply working through a realistic scenario can quickly reveal gaps in responsibilities, communication procedures and business continuity arrangements when systems become unavailable. During the webinar, one example was shared of an organisation that discovered during an exercise that all of its emergency procedures were stored exclusively in digital form. Had its systems actually failed, those procedures would have been inaccessible when they were needed most.
From obligation to action
Ultimately, the Dutch Cybersecurity Act is about more than regulatory compliance. Its purpose is to strengthen the resilience of both individual organisations and the supply chains of which they are part. The message from all speakers was clear: start preparing today. Organisations that invest now in governance, risk management and incident response will not only be better prepared for regulatory oversight, but, more importantly, will be far better equipped to deal with today's cyber threats.
Key takeaways
- Cybersecurity is not just an IT issue - it is a responsibility shared across the entire organisation.
- Start by identifying your critical business processes and the systems that support them.
- Clearly define responsibilities and ownership.
- Look beyond your own organisation and consider suppliers and supply chain partners.
- Develop an up-to-date incident response plan and test it regularly.
- Conduct cyber incident exercises - many organisations still do not.
- Make use of the support and resources provided by the NCSC and the NVWA.
- Aim not only for compliance, but for long-term cyber resilience.
More information:
