5.1 Introduction

On 24 June 2019, an hour-long outage hit the Dutch emergency number 112 and 0900–8844, the national police telephone line. It was also impossible to contact hospitals, municipalities, and companies for some time. The primary system of KPN – the telecom provider – was out of action while three back-up systems failed. The incident, which according to KPN was probably due to software error, once again revealed the vulnerability of facilities in the physical world to digital failures. It also underlined the report’s central message: the need to be better prepared for incidents involving a digital dimension. These incidents are all the more critical when they are not limited to the digital domain, but have potentially disruptive consequences in the physical world and for confidence in the core institutions of society.

This incident in the Netherlands made it painfully clear how much the government depends on private parties for the continuity of critical processes, and how much these private parties depend on the services and facilities of external suppliers. Even more worryingly, the authorities, including the central government, were insufficiently prepared. There was no off-the-shelf emergency plan for an outage of the emergency number, while parties were unable to communicate to coordinate their response. It took 75 min before an alternative emergency number was distributed; an incorrect number was given out first, and not everyone received a notification from NL-Alert, the Dutch digital alarm system, on their mobile device. There had already been problems with the emergency number in 2012. The government minister responsible at the time had issued reassurances that this would not happen again. And yet it happened, showing that no system is 100% fail-safe. Apparently, even identical forms of disruption cannot be ruled out.

The previous sections focused on society’s preparedness for digital disruption. We then analysed why the existing set of instruments does not adequately address such forms of disruption. In this concluding section, we offer suggestions for steps to improve our preparedness. These are intended for the government, particularly for the national government. Since many other national governments around the world face similar challenges, our recommendations will, at least in some form, apply to them too. Sections 5.5.2 and 5.5.3 present our main conclusions. The subsequent sections contain our recommendations, which we discuss based on the four stages of preparedness, detection, mitigation, and recovery and reconstruction.

5.2 New Types of Disruption

The phenomenon of societal disruption has always been with us and can have a range of causes. Increasingly, the disruption or failure of digital services and facilities is one of these causes. This report has left aside questions about the likelihood and probable impact of digital disruption; such risk assessments are already available. As evidenced by numerous incidents in the Netherlands and elsewhere, the probability that digital disruption will occur is high enough to warrant planning how we will respond. The growing scale, spread and impact of digital incidents, their rising costs and economic implications, means that the trust that citizens, organizations and companies have in digital technologies is at stake.

Given the dependence on advanced digital technology across the breadth of our society and economy, the consequences of disruption go beyond the domain of ‘traditional’ information technology and cyber security. Digitization has blurred the distinction between the ‘digital realm’ and the ‘physical realm’. The boundaries between companies and organizations – now interconnected by countless systems and networks – have become more diffuse. Digital disruption today means much more than the failure of isolated digital systems. This new reality, however, is not adequately acknowledged by companies, organizations, the government and politicians.

More and more societal and economic processes are based on interconnected flows of data and information. Developments such as ‘datafication’, the huge increase in the power and capabilities of computers, and the complex web of interconnections between systems around the world mean that the physical realm is now inextricably bound up with the digital realm. Virtually all of society’s core processes – including our power supply, the processing of payments, flood defences and healthcare systems – now depend on the exchange of data and digital systems linked to wider networks including the internet. Interdependence is therefore built-in and must be considered, both when preparing for and combating incidents that involve our digital infrastructure. It is no longer sufficient to leave the implementation of protection measures to individual organizations, or for them to practise responding to cyber incidents within their own company or sector. The weakest link in the chain, which could allow an incident to occur, could be almost anywhere in the world.

Digitization is changing the scale and dynamics of disruptive incidents. This is due not only to the highly interconnected nature of digital infrastructure, but to the use of unsafe, generic software and hardware, network dependencies, and the sometimes inadequate protection of systems and data. Complex, often opaque and cross-border production and supply chains provide malicious actors with myriad opportunities to disrupt social and economic processes, or even to bring them to a halt. Digital disruption can occur at lightning speed, affecting a large number of organizations and sectors around the world; it can also result from dormant processes that go unnoticed for long periods of time or are unclear in scope. Both may shake confidence in our state institutions, democracy and constitution, as members of society perceive the government has insufficient control over the digital realm. If disruption strikes, it is not clear in advance whether it is the government’s responsibility to take action, and if so, which part of government. And yet, a swift response may be required to limit the damage.

Digitization has in many ways undermined the relevance of geographical borders. Numerous incidents have shown that problems can simultaneously lead to disruption in many countries. Digital disruption must therefore be addressed by international bodies, including the European Union. But cross-border digitization does not mean that individual countries have no role in addressing its attendant threats. Some disruptions are limited to the national level, such as the disruption of KPN’s telephone system in the Netherlands. One key lesson is that digital disruption – however abstract it may seem – will ultimately always have local consequences. Finally, for contingency measures from fall-back options and disconnection scenarios to insurance and compensation, individual countries depend on other nations. In short, preparedness for digital disruption must combine national measures with international cooperation and coordination.

5.3 Centralized Setting of Standards and Coordination by Government

In security policy, the government is expected to clarify what interests are at stake. It needs to clarify how costs, benefits, and risks are distributed in light of these interests, and which parties bear responsibility for what.Footnote 1 Extending this line of reasoning, government must play a greater role in the digital domain and in addressing its associated risks.

This role requires explanation. A centralized system of management for cyber security, internet governance and critical infrastructure – populated largely by private actors – is unrealistic. But the government can play its role in other ways. Over the past decade, cyber security has emerged as a serious international policy field. Public-private partnerships have become indispensable, especially now that most of our digital infrastructure is in private hands. This collaboration, however, is largely free of legal obligations. Providers of critical services are largely free to determine their own protection measures and back-up and fall-back options; their preparedness for digital disruption varies considerably. They also have great latitude in reporting incidents, while active participation in the Information Sharing Analysis Centres is mainly limited to the select group of organizations that have acknowledged the importance of sharing information.

Private companies and organizations cannot be expected to assume full responsibility for digital disruption. But when it does occur, they can be expected to do everything in their powers to prevent the situation from deteriorating further. While the government is, by definition, best placed to enforce this responsibility, it now only has a limited set of instruments to do so. Should private organizations and companies refuse to cooperate in the event of disruption (or imminent disruption), the central government has relatively limited powers to force cooperation. This is even more the case at the European level, as the EU is limited to an advisory role and the strategic and operational aspects of cyber are the responsibility of the member states. Clarifying and strengthening the powers available to government as well as standards for interventionFootnote 2 would enhance the government’s capacity to act in the event of digital disruption.

Nevertheless, the starting point must be that local ‘fire brigades’ take care of local fires and specialist fire brigades take care of more complex fires at the local, regional or national levels. After all, different measures will often be required in each domain. If there is a risk of digital disruption, escalation to a higher administrative level can be considered and central government can decide to take the lead in crisis management. The division of responsibilities for digital incidents remains unclear in many countries. Partly because there are no criteria to distinguish between different categories of incidents, there are no mechanisms in place for how and when higher authorities step in.

The threat of digital disruption requires coordinated action from government. Due to both network effects and the interaction between the digital and physical realms, contingency plans must transcend individual organizations. It is virtually impossible for any organization, company or safety region to have a comprehensive picture, let alone enough information to make the right decisions about the deactivation of networks, escalation, or the many other urgent measures that may be required. An overview of the coherence of processes, of the dependencies involved, and of the measures to be taken requires coordinated action by government. So does providing the right public information when things go wrong. The government also remains responsible for existing resources in the field of cyber security.Footnote 3

Better preparedness by the government cannot be a license for other actors to take unnecessary risks. Companies and organizations have their share of responsibility in preparing for digital disruption. If they fail to act on their responsibilities, this may undermine public confidence in digital processes, which in the long run will adversely affect the functioning of society, market and government. Even if only one party decides that preparatory measures are not worth the bother, all will be affected when things go wrong.

Some measures are already in place to coordinate our preparedness for digital disruption. For example, parties who fail to take precautions to limit adverse effects, or who do so inadequately, can in some cases be held liable.Footnote 4 But there is plenty of scope for improvement among private-sector actors, such as organizing cyber exercises and drills for disruption in light of network effects and dependence on external parties. Companies and organizations could also be required to include a section on cyber security in their annual reports, focusing on preparatory measures and precautions. A number of our recommendations concern the private sector.

5.4 Focusing on Preparedness

Governments have long been protecting the infrastructure necessary for society’s continuity. This requires an understanding of how particular infrastructures are vulnerable to disruption, failure or destruction. While anyone familiar with these vulnerabilities can take precautionary measures to minimize the consequences of disruptive events, at present not enough is being done.

This report is underpinned by the conviction that the possibility of digital disruption is not being taken seriously enough. The current policy focus on prevention and protection is too limited and could have grave consequences. First, there has been no public or political debate about which facilities are essential to ensure cyber security in the Netherlands, or about the most effective approach to take in the event of digital disruption. Our first recommendation is therefore:

To initiate a public debate about the preparedness of Dutch society for digital disruption.

Digitization increasingly determines the vulnerability of core societal processes. Public debate is needed about how much ‘strategic autonomy’ is desirable and feasible for an individual nation state. While digitization leads to faster and more efficient processes, incidents can quickly affect multiple organizations, sectors and countries. What is the right balance between the advantages and disadvantages of digitization? If things go wrong, what fall-back options should be available? How long can a disruption reasonably last? What recovery time would we find acceptable?

Market developments affect the preparedness of society and government. Investment decisions, corporate take-overs and network effects in the digital world result in dependencies which can be difficult to mitigate. These dependencies can also hinder the government’s implementation of its own safety measures. An important question is therefore which facilities or companies we wish to keep within our own jurisdictions in order to protect the national and/or European interest. The implications of relying on overseas actors and entities for the effectiveness of our approach to digital disruption should be given more weight in this discussion.

More than is currently the case, governments will need to build up the knowledge required to identify the risks of this new reality early on, and to formulate policies on digital disruption. This would entail evaluation of how far we wish to have fall-back options available, such as the ability to isolate systems and facilities so that they can continue to function offline.Footnote 5

5.5 Detection: A Clearer Picture of Dependencies

Preparedness and problem detection are closely intertwined. We need a clearer picture of the dependencies between the digital and physical realms, and within specific sectors of society. This will require greater efforts from government. We need to revisit the list of critical infrastructure as what we have now is insufficiently attuned to the realities of the digital world. How we prioritize critical processes will have to be reviewed.

5.5.1 Insight into Dependencies

Detecting digital disruption at an early stage will require detailed understanding of the connections between cyber and physical sectors. It will also require better insight into the chains and networks – indispensable for the core processes of society – within which Dutch and other national and international organizations operate. We need to know who owns, or is allowed to own, shares in these organizations, and who has formal or effective control over shareholders.Footnote 6 We need a more comprehensive overview of various sectors – including their possible dominance by particular service providers – and the jurisdictions in which key providers and other players are based to facilitate international consultation should rapid measures be necessary. In the absence of such knowledge, risks cannot be rigorously evaluated, information on incidents cannot be properly interpreted, and our preparations for digital disruption will fall short. Our second recommendation is therefore to:

Conduct an assessment of cyber dependencies focusing on the parties, digital elements, processes and services essential for the functioning of critical processes in society.

Such a ‘dependency assessment’ will augment cyber security assessments by various countries that annually review major incidents, threats, interests and resilience.Footnote 7 Given the sensitivity of the information, the details should not be published. What matters is that the information is used to better understand incidents and decisions, both before and during episodes of disruption. The information can also be used to inform strategic discussions and choices about how far social and economic provisions in the country depend on specific actors.

Our recommendation to conduct a cyber-dependency assessment refers specifically to companies and organizations involved in critical processes. Other companies and organizations can of course conduct such assessments as well, particularly if they play key roles in the functioning of society, for example hospitals, distribution services and payment platforms. Keeping abreast of evolving dependencies is primarily the responsibility of private companies, public services and individual organizations; they will need to periodically refresh their knowledge in light of economic and technological developments. While exercises for scenarios involving digital disruption are an obvious tool, they remain rare and may need to become mandatory, certainly for critical infrastructure.

At the same time, preparation for digital disruption will have to transcend the capacities of individual organizations. Even where parties have detailed knowledge of their own dependencies, the wider picture for the sector and interrelationships with other domains may be much less clear. The entire public sector should be involved to yield a more comprehensive picture. For example, we know that many companies and organizations depend on the cloud services of just two major US providers: Microsoft and Amazon. The same applies to reliance on suppliers of industrial control systems, electronic patient records and ATMs. But we do not know enough about the sum of these dependencies or their significance for particular organizations and sectors, or even for the country as a whole. This also applies to the question of exactly what processes are at stake. We need to know more about the wider context to be able to identify risks and to prepare for disruption.

5.5.2 A New Approach to the Identification of Critical Infrastructure

A comprehensive overview of dependencies would provide a better understanding of which organizations require a higher level of protection and government support, including the sharing of information about risks. In many countries, these organizations are based on lists of critical infrastructure. These lists are invaluable; their exact composition is a key determinant of how well countries are prepared for digital disruption.

The selection of critical processes is politically challenging, partly because protecting them is costly and the government often has no direct control over the parties involved. The current ‘system’ works primarily to the benefit of the central government and those organizations designated as critical providers. Parties not on the list need to make their own arrangements. In a highly networked world, this has undeniable consequences, both nationally and internationally, not least for those parties designated as constituting critical infrastructure.

The first reason to revisit our current list of critical infrastructure is the increasingly crucial role of digital processes in society. This includes stand-alone digital services such as electronic message traffic and authentication as well as processes that support other critical functions such as the supply of electricity and payment traffic. Although some have been added to the list of critical infrastructures in recent years, the question is whether this is sufficient. Due to the rapid development and wide adoption of digital applications in many areas of society, new and significant vulnerabilities arise unexpectedly, requiring the inclusion of new organizations as providers of critical services. An example is the payment service Facebook is planning to launch.

Second, we need to examine whether it remains useful to link critical processes to individual providers. There is ample reason to believe that identifying the chains and networks that support critical processes – meaning all those parties that providers of the service depend on – would yield better results. This might mean that actors other than the direct providers of critical services should also be categorized as critical infrastructure. In short, the policy on critical processes will need to clarify how actors deemed ‘critical’ fit into the relevant chain or network, based on the principle that some components are indispensable for the continuity of a given critical process. The example of the electricity supply (discussed in Sect. 5.4) shows that incidents that affect actors not classified as critical providers can contribute to disruption through cascade effects. If an incident outside of the critical sector is not addressed in time, the critical infrastructure itself may be affected.

The cross-border nature of many chains and networks has implications for European harmonization in the protection of critical infrastructure. Greater focus is required at the European level on the links between providers designated as critical, between themselves and with external parties. At the same time, greater commitment is required from EU member states. The different ways in which countries govern critical sectors and the services covered by the Network and Information Security Directive make it difficult to work together to identify and mitigate cross-border incidents and those that affect European networks and institutions. For example, while the NIS Directive includes measures for the healthcare sector, the Netherlands did not include healthcare when implementing the Directive in its legislation on network and information systems security (the WBNI). This means that, in the event of an incident, there is no common point of contact for member states in the field of healthcare. Such omissions hamper the creation of a Europe-wide system for the entire system of critical infrastructure.

Operationalize critical infrastructure differently, starting with the chains and networks that support critical processes.

Examine whether digitization requires changes to the prioritization of critical processes.

5.5.3 Digital Triage

In the Netherlands, the list of critical processes – last reviewed in 2014 – includes criteria for prioritization in case of disruption. On the basis of various impact criteria, the list distinguishes between two categories of critical processes, prioritizing those with the greatest impact – due to for instance cascade effects – should they fail. While prioritization can limit damage and promote swift recovery, we need to review the existing categorization of critical processes in light of digitization. We refer to this prioritization process as ‘digital triage’.Footnote 8 Even where, as in many other countries, no distinctions are drawn between critical processes, their digitization requires revisiting which ones to prioritize in case of disruption.

The question is whether the current system is adequate given our growing dependence on digital technology. The prioritization of critical processes based on ‘impact’ may also need revisiting; in a crisis situation, the most important processes for a rapid recovery may be quite different from those that have the greatest impact. The continuity of many critical processes depends on digital facilities and services, which may warrant higher priority as they facilitate the restoration of other important societal functions. Digital communication facilities in particular may deserve higher priority as they play a key role in keeping citizens informed and in preventing or containing social unrest.

Digital triage based on this dual perspective – including both impact and recovery options – would, in the event of a crisis, enable ministers to take decisions that have already been discussed and accepted in advance. During a disruptive event, there may not be time for any reflective decision-making. Such a system of triage would mean that the parties involved are informed in advance; they would not be taken by surprise and would be able to act more quickly. This would ultimately improve the resilience of society’s critical functions.Footnote 9

As the Dutch government’s dependence on Microsoft during the DigiNotar incident revealed, it is an illusion to think that the government is the only key actor in this area. Other actors often participate in the decision-making necessary to combat digital disruption and to enable swift recovery. Good communication channels with these parties is essential to guarantee the continued functioning of society during a crisis. The assessment of dependencies discussed above would be useful here.

5.6 Mitigation: More Powers, Better Categorization of Incidents and Better European Coordination

If things go wrong unexpectedly, the government must be able to bring the situation under control. But as things currently stand, the government would face several problems. First, there is no equivalent to the familiar emergency services model in our new digitized reality. Second, there is no clear categorization of incidents that outlines when the relevant authorities and actors should become involved. Third, dealing with disruptive events with a cross-border or European dimension are hampered by lack of coordination.

5.6.1 Legal Powers and Competencies

When digital disruption threatens societal disruption, the government must have the right information at its disposal and be ready to act. Action may have to be far-reaching. During the DigiNotar incident in 2011, the Dutch government stepped in because the extent of the problem was unclear and confidence in its own digital services was at stake. Unfortunately, the government’s actions during the DigiNotar incident were never evaluated. The question of which powers the government actually needs has therefore never been properly debated – an important conversation to have as the government can now only legally provide advice and assistance. This means that organizations and companies are not obliged to follow the government’s advice when dealing with digital disruption, and may decide to pursue priorities that conflict with the public interest. Where organizations and companies are not part of the critical infrastructure, the government is largely powerless.

Although the government has a range of options for intervening based on existing crisis management legislation, there is no specific focus on how it should handle digital disruption. Current crisis decision-making is organized along functional lines or linked to a particular municipality, region or the central government. Although the central government can always intervene in the event of an emergency, it would be preferable if interventions occurred in a predictable and controlled manner, particularly if it concerns the police or the public prosecution service. A crucial question is whether such interventions would be justifiable if they did not also serve the purposes of an investigation or prosecution. After all, we rightly expect the fire brigade to extinguish the fire, not to confiscate our household effects. In a digitized world, this distinction becomes more difficult to draw because data does not need to be removed to be reused for other purposes. Our recommendation is therefore to:

Provide a clearly defined legal mandate for a digital taskforce responsible for combating (potential) digital disruption that could have adverse effects on society. As part of this, examine the need for separate regulations for government action to prevent incidents from escalating and for categorizing incidents.

Generic, legally established powers, accompanied by an appropriate framework, would give the government more freedom to act to combat digital disruption. The aim should be to safeguard citizens and businesses from disproportionate, uncontrolled or arbitrary acts on the part of government.Footnote 10 Such a framework would be particularly important if there is a risk of disruption but the effects cannot yet be discerned.

5.6.2 Towards a Categorization of Incidents

In elaborating the government’s legal powers, it would be preferable to specify them on the basis of different categories of digital incidents. Such a system is already in place in the United States, France and the United Kingdom. Not all categories of incidents disrupt critical processes or represent a threat to national security. A more detailed system of categorization would facilitate assessing the potential consequences of an incident, the need to use special powers, and the decision to deploy a particular organization to take action. Differentiation according to the seriousness of situations could also prevent the central government from becoming involved too quickly. An effective system of categorization would provide opportunities for administrative and political escalation. Our response to fires is essentially decentralized; escalating the response is possible when the magnitude of the incident requires it.

5.6.3 European Coordination

Given the cross-border nature of digital disruption, the recommendations outlined above for combating incidents should be on the international agenda as well. The European Union is an obvious starting point, now that the NIS Directive provides for greater uniformity in the protection of service providers in critical processes. To effectively combat digital disruption, individual countries will often depend on cooperation from foreign governments. Other countries will also ask it for assistance.

Individual EU member states can contribute to a more coordinated approach at the European level by bolstering the NIS cooperation group.Footnote 11 The NIS cooperation group was established as part of the implementation of the NIS Directive and is supported by the national Computer Security Incident Response Teams (CSIRTs), the European Commission and the ENISA agency. Like the European Article 29 Working Group, which has since been succeeded by the legally constituted European Data Protection Board,Footnote 12 this partnership could eventually serve as a stepping stone towards an organization with greater legal competencies at the EU level. Those competencies should focus on combating incidents that affect European institutions or that transcend the capacities of individual member states to such an extent that they pose risks to critical infrastructure elsewhere in Europe.Footnote 13

5.7 Recovery & Reconstruction: Examine the Possibility of a Cyber Pool and Make Better Use of Data on Incidents

A disruptive event is often followed by a period of recovery and reconstruction. A range of issues will need to be addressed, from support and compensation for victims to evaluating what went wrong. We recommend adding two further issues to the agenda relevant to recovery after a major incident. First, we should look closely at the feasibility of establishing a cyber pool for compensating damages. Second, we can learn how to better use the available data on incidents.

5.7.1 Cyber Pool

An important aspect of recovery and reconstruction is compensating victims in the form of liability or compensation payments, whether through insurance or through government payments.Footnote 14 The aim of such instruments is to enable parties that suffer damage to resume normal functioning wherever possible and, preferably, to return to their previous positions. The reality is often different, if only because countless questions arise about the attribution and causes of the damage or, for example, at which moment the damage should be assessed.Footnote 15

Liability, compensation and insurability are difficult to design and regulate in a digitizing world. Cascade effects, complex interactions between information processes, and associated questions over causality are bound to play a role. Perpetrators are often never found, and there is a high level of uncertainty about both the risks and the types of cost that may be involved. As explained in Sect. 4.5, insurability is an urgent issue. Insurance is essentially a matter for the market. But where there are market failures and risks cannot be hedged adequately, the government can try to provide people with more peace of mind.

The government could make insurance compulsory by law – admittedly often a long process seen as interventionist. The government could also create a reinsurance fund with other actors to ensure that risks are insurable. Such insurance ‘pools’ – where each party participates at a predetermined percentage – are often used to insure major or technically complex risks. Now that insurers seem to be withdrawing from the market for cyber insurance due to fears of excessive claims, a ‘cyber pool’ construction warrants further study. As a possible template, the Dutch Reinsurance Company for Terrorist Damage insures all sectors for damage up to €1 billion per calendar year, to be provided by national insurers, international reinsurers and the Dutch state.Footnote 16 In 2003, the Netherlands led the way internationally with this construction.

Explore the feasibility of a national or European ‘cyber pool’ arrangement in order to provide insurance cover for the financial damage caused by digital disruption.

As part of this exploration, identifying and quantifying ‘systemic risks’ deserves special attention. Insurers, large utility companies, banks, multinationals, and governments around the world are increasingly turning to quantitative models to manage cyber risks. Although this is a step in the right direction, there are as yet no reliable methods for identifying systemic risks – a fluid and complex category of risk that goes beyond the level of individual organizations. The government could contribute to the development of more reliable methods through steps such as making its knowledge and data available to other parties.

It is also important to determine whether cyber-attacks can be regarded as armed conflict under international law and, if so, to what extent and which types of cyber-attack. As we discussed in Sect. 4.5, this is crucial for the insurability of damage caused by cyber-attacks. In order not to unnecessarily obstruct the development of a mature cyber-insurance market, national governments should take a cautious approach to characterizing cyber-attacks as acts of war.

5.7.2 Make Better Use of Data on Incidents

Recovery and particularly reconstruction provide opportunities to be better prepared for the next incident and to re-evaluate which interests should be given priority. Learning from past decisions and mistakes plays an important role; learning from minor incidents can prevent much larger and more disruptive events in the future.

While improving our capacity for collective learning can take numerous forms, internal and external supervision would be useful.Footnote 17 External supervisors, who now receive and process incident reports including reports on problems with the continuity of core processes, have valuable data at their disposal. A necessary step towards improving our capacity for learning is to gather and make more systematic use of the information available to supervisory bodies. Supervisors are important nodes of information, well positioned to learn general lessons from series of minor incidents and to make this information available more widely. While the legally required reports on data breaches, disruptions and continuity problems are currently received by various supervisory authorities, the information in these reports is rarely analysed systematically. As a result, supervisory authorities are depriving themselves, and the parties they supervise, of valuable information that could be used to improve our level of preparedness for digital disruption. Such information could include insights into likely types of perpetrators for specific kinds of attacks.

Ensure that information on incidents is available at the national and European levels; make better use of this information; and provide effective feedback to the parties involved in order to strengthen the capacity for collective learning.

We need to make better use of the data generated through the NIS Directive’s reporting obligations. The Directive specifically aims to ensure greater coherence in the cyber security policy of European member states; for this to succeed, governments must make greater efforts to ensure that data on incidents is better shared and analysed at the European level. This task could be assigned to the NIS cooperation group.

5.8 Closing Words

Often without our noticing it, digital infrastructure has become intertwined with processes essential to the continuity of our society, economy, democracy and the rule of law. In the coming years, this relationship will become ever closer due to developments such as artificial intelligence, cloud computing and the Internet of Things. It is laudable that the protection of digital infrastructure is receiving more attention. At the same time, 100% security can never be guaranteed. In addition to existing policy, this report has therefore presented the case for better preparedness for situations in which digital infrastructure is disrupted or out of action, and there is a risk of societal disruption as a result.

There is too much at stake to leave preparing for digital disruption to chance. The extent of our reliance on digital infrastructure means that measures must be taken to limit potential damage and to ensure that affected parties can recover as quickly as possible. Within existing frameworks, the government is hampered in its ability to adequately deal with digital disruption; its traditional set of instruments to address societal disruption are insufficient for this purpose. The recommendations in this section provide a range of options for new ways of doing things. Their implementation will require a thorough consideration of the role and responsibilities of government in a digitizing world.