Compliance Services

NEN 7510 is the Dutch standard for information security in healthcare. The standard is based on ISO 27001, but contains additional requirements specifically aimed at protecting patient data and other health information. NEN 7510 is mandatory for all organizations that process patient data, including hospitals, general practices, mental health institutions, pharmacies, laboratories and their ICT suppliers.

NEN 7510, 7512 and 7513

NEN 7510 does not stand alone. NEN 7512 sets requirements for electronic communication in healthcare, for example when exchanging medical data via messaging or portals. NEN 7513 prescribes how logging of access to patient data must be organized, so it is always possible to determine who accessed which data and when. Together, these three standards form the foundation for information security in Dutch healthcare.

Supervision and enforcement

The Health and Youth Care Inspectorate (IGJ) supervises compliance with NEN 7510 at healthcare institutions. Additionally, NEN 7510 conformity plays a role in connecting to national healthcare infrastructure and in contractual agreements with health insurers. Non-compliance can lead to enforcement measures and reputational damage.

Our approach

We support healthcare organizations in implementing NEN 7510 and the associated standards NEN 7512 and NEN 7513. From policy development and risk analysis to operational implementation, internal audits and preparation for external assessments. We understand the healthcare context and align the implementation with daily practice, so that security does not come at the expense of patient care.

The European NIS2 directive sets higher requirements for the cybersecurity of essential and important entities. In the Netherlands, NIS2 has been transposed into the Cyberbeveiligingswet (Cbw), which was adopted by the Dutch House of Representatives on 15 April 2026. The expected entry into force is 1 July 2026. The law applies to organizations in eighteen sectors, from energy and transport to digital infrastructure and healthcare.

Who falls under it?

The Cbw distinguishes between essential and important entities. Essential entities include organizations in the energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure and government services sectors. Important entities include postal and courier services, waste management, food, chemicals, manufacturing of certain products and digital providers. The threshold is generally 50 employees or annual turnover exceeding 10 million euros, but different criteria apply to certain sectors.

Obligations

The Cbw imposes three core obligations. First, a registration obligation: organizations must register with the NCSC or the relevant sectoral supervisor. Second, a duty of care: organizations must take appropriate and proportionate technical, operational and organizational measures to manage cyber risks. This includes policies for risk analysis, incident handling, business continuity, supply chain security, access management and cryptography. Third, a reporting obligation: significant incidents must be reported to the CSIRT within 24 hours, followed by a full report within 72 hours and a final report within one month.

Supervision and enforcement

The National Digital Infrastructure Inspectorate (RDI) will be the primary supervisor for most sectors. For violations, fines of up to 10 million euros or 2% of global turnover can be imposed on essential entities, and up to 7 million euros or 1.4% for important entities. Directors can be held personally liable for non-compliance with the duty of care.

Our approach

We support organizations in determining whether they fall under the Cbw (scoping), conducting a gap analysis against the requirements, and implementing the necessary measures. From risk analysis and policy development to setting up incident response, establishing supply chain security and testing your organization's resilience. We also assist with preparation for the registration obligation and establishing reporting processes.

The Digital Operational Resilience Act (DORA) is the European regulation specifically aimed at the digital resilience of the financial sector. DORA entered into force on 17 January 2025 and, as a regulation, is directly applicable in all EU member states without national transposition. The regulation applies to a wide range of financial entities: banks, insurers, investment firms, payment institutions, pension funds, crypto-asset service providers and their ICT service providers.

Five pillars

DORA is built around five pillars. The first pillar, ICT risk management, requires a documented framework for identifying, protecting against, detecting, responding to and recovering from ICT risks. The second pillar concerns ICT-related incident management: classification, reporting and communication of significant ICT incidents to the competent authorities. The third pillar mandates digital operational resilience testing, including annual basic tests and, for systemically important institutions, triennial threat-led penetration testing (TLPT). The fourth pillar regulates the management of ICT third-party risks through contractual requirements and a register of outsourced ICT services. The fifth pillar encourages voluntary sharing of cyber threat information between financial entities.

ICT service providers

A key aspect of DORA is oversight of critical ICT service providers. Cloud providers, data center operators and other technology suppliers designated as critical by the European Supervisory Authorities (ESAs) fall directly under their supervision. Financial institutions must map their dependencies on third parties through an information register, assess concentration risks and contractually ensure these parties comply with DORA requirements, including audit and access rights.

Supervision in the Netherlands

In the Netherlands, DNB and the AFM supervise DORA compliance. DNB is responsible for banks, insurers, pension funds and payment institutions; the AFM for investment firms and managers of investment institutions. Non-compliance can result in administrative measures including instructions, fines and periodic penalty payments.

Our approach

We help financial institutions and their ICT service providers comply with DORA. This includes conducting gap analyses, setting up ICT risk management frameworks, establishing incident reporting processes, building the information register for ICT third-party risks, performing resilience testing and reviewing contracts with ICT service providers. Our experience with both IT audit and financial supervision (DNB, AFM) makes us a natural partner for DORA compliance.