1. Home
  2. Fields of expertise
  3. Cybersecurity

Practice area Cybersecurity

A university that pays criminals an enormous amount in the form of bitcoins to secure the return of all its backup systems. A municipality that is the victim of a major cyberattack and electronic extortion. Cybercrime and similar cyberincidents have been growing in number and gravity in recent years. There is every reason to devote attention to cybersecurity immediately. Yet where does one begin? Dirkzwager’s Cybersecurity Team can assist you throughout the process, from preventive measures to subsequent legal assistance.


Businesses and institutions are increasingly dependent on electronic processes and ICT. The importance of digital work and homeworking has only increased since the advent of the coronavirus era. Society can no longer survive without digital solutions, although such dependence also renders organisations more vulnerable. The danger of data leaks is growing and cybercriminals seize potential opportunities. The consequences for an affected organisation cannot be underestimated: reputational harm, the disruption of business and liability. A timely examination of the cyberrisks to which your organisation is exposed, adoption of appropriate security measures, and preparation of contingency plans should matters nevertheless go awry will increase your cyberresilience.

Definition of cybersecurity

Cybersecurity refers to all of the security measures which a business or organisation adopts to avoid any harm due to the malfunction, breakdown or misuse of an information system or computer.

Common cybersecurity issues

The disruption of business and/or a data leak due to:

  • the breakdown of a  system, for example, as a result of a failure to implement timely system updates;
  • an indirect attack, for example, in the form of phishing, social engineering, a virus or malware;
  • a direct attack, such as a hack, DDoS attack or industrial espionage;
  • mala-fide staff (‘insider threats’) who abuse the power which they have for the purposes of carrying out their work;
  • the vulnerability of a system, for example, because it is obsolete (a ‘legacy system’) and the failure to install updates and patches.

Cybersecurity legislation and regulations


Every business which processes personal data must comply with the requirements stipulated in the European General Data Protection Regulation (GDPR). Amongst other things, this legislation stipulates that a business must adopt ‘appropriate technical and organisational measures’ to protect personal data. Should a data leak occur, a business is required to report it to the Dutch Data Protection Authority in many cases. A stiff fine may be issued for any contravention of the GDPR.

In addition, any business or organisation which constitutes part of the so-called essential infrastructure is bound by the Network and Information Systems Security Act [Wet beveiliging netwerk- en informatiesystemen] (Wbni). Such businesses and organisations have a legally stipulated duty of care to adopt measures to minimise security risks for ICT systems as far as possible. Should a cyberincident occur, they will need to report it. Essential suppliers and suppliers of essential services do so to the National Cybersecurity Centre (NCSC). In addition, suppliers of essential services are also required to report it to the relevant sectoral regulatory authority and electronic service providers to the CSIRT (Computer Security Incident Response Team). A stiff fine may also be issued for a contravention of this legislation.

Apart from this legislation, every business which uses ICT and computer systems has a duty of care (unwritten or otherwise) to ensure proper cybersecurity. In many cases businesses and organisations comprise part of an electronic supply chain which includes other businesses and in some cases also consumers. Every business is itself responsible for the ICT which it uses. Clearly stipulated arrangements and risk estimates are very important because of the independence of a supply chain.

Sectoral specific regulations

Regulations may be highly specific to a sector Proper cybersecurity is highly dependent on the nature of a business or organisation, the extent to which special or other personal data is processed, and the degree of dependence on technology. A hospital uses a great deal of highly sensitive data and is highly dependent on technology. In this case consideration is given to matters other than, for example, production operations as part of one’s cybersecurity strategy, where the sensitivity of personal data plays a less prominent role. Public authorities and knowledge institutes must in turn deal with their cybersecurity strategy in a different manner.

Multi-disciplinary approach

Cybersecurity is a subject to which attention needs to be devoted at the executive level based on a multi-disciplinary approach. The directors need to meet with managers, IT staff and representatives of the legal, commercial and publicity departments.

All organisations in all conceivable sectors which have electronic processes are exposed to cyberrisks. The Cybersecurity Team is active in all of these sectors:

  • IT and internet businesses;
  • universities and educational institutions;
  • insurers and insurance brokers;
  • public authorities;
  • healthcare institutions;
  • the business sector.

Multi-disciplinary team

As such, it is important to view cybersecurity from various perspectives. This is also why a multi-disciplinary Cybersecurity Team has been put together with experts from various disciplines within Dirkzwager: intellectual property, IT, liability, loss, insurance, and health care. By combining all of its specialist expertise in both the legal field and the specific sectors, the Cybersecurity Team has a comprehensive overview.

Our services

The Cybersecurity can assist your organisation throughout the entire process from prevention to legal resolution.

  • Contract management: What arrangements have you made and how have the cyber and other risks been assigned?
  • Risk management: How do you implement cybersecurity as part of risk management within your organisation?
  • Incident response: Comprehensive process management when an emergency (ransomware or a data leak) occurs. Where necessary, we do this together with external experts, such as forensic IT experts and publicity consultants. In addition, we assist with specific legal matters, such as reporting to the relevant regulatory authority in the case of a data leak or a serious cyberincident, or we determine your legal position in relation to other parties, for example, counterparties. 
  • Corporate compliance: Does your organisation comply with the relevant regulations? Cybersecurity constitutes part of corporate governance and intersects privacy legislation. A failure to comply with the regulations may have far-reaching consequences. 
  • Follow-up care: Legal assistance for the purposes of settling compensation claims and in the case of disputes. We provide insurers with assistance in the case of cover disputes. We assist any party that is called to account in the case of compensation pursuant to a contravention of the GDPR.

The Cybersecurity Team

The Cybersecurity Team combines extensive experience of digital technologies and IT systems with a an in-depth knowledge of the various sectors, such as those of health and insurance. The team consists Ernst-Jan van de Pas, Mark Jansen, Marloes Roetert Steenbruggen-Hulshof, Jeroen Lubbers, Dafne de Boer, and Sven Wakker.

If you would like more information about the cybersecurity team, cybersecurity, incident response or cyber insurance, or should you wish to make an appointment, you may contact Mark Jansen.