Critical Infrastructure in the Netherlands: NCTV, Vital Sectors, and the Rotterdam Test

The Netherlands is a small country with two assets that the rest of Europe cannot afford to lose: the port of Rotterdam and the lithography supply chain anchored in Eindhoven. Everything else in the Dutch security debate is downstream of these two facts.

Dutch policy doctrine treats critical infrastructure as a list of "vital processes" maintained by the National Coordinator for Security and Counterterrorism, the NCTV. The list is administrative. The reality is geographic and industrial. A single port complex moves roughly 440 million tonnes of cargo a year and feeds a chemical cluster that reaches into Germany, Belgium and beyond. A single town in North Brabant houses the only manufacturer in the world that builds extreme ultraviolet lithography systems. Lose either, and the consequences are not local. They are continental.

What the NCTV Actually Is

The Nationaal Coördinator Terrorismebestrijding en Veiligheid sits inside the Ministry of Justice and Security. It is not an operational agency in the sense of the French ANSSI or the German BSI. It coordinates. It maintains the list of vital processes, publishes the Cybersecurity Assessment Netherlands (CSAN) each year, and issues threat assessments that the rest of the Dutch security architecture is supposed to act upon. Its instruments are policy, designation and convening power. Its limits are the same as those of every coordinator in a country that prefers consultation to command.

The vital processes framework distinguishes between category A and category B. Category A covers processes whose disruption produces cascading damage at a scale the state considers unacceptable: more than fifty billion euros in economic damage, or more than ten thousand fatalities, or societal disruption beyond several weeks. Category B is the rung below. The classification matters because it determines which obligations apply, which operators are formally engaged in information exchange, and which sectors receive priority attention when the threat picture darkens.

The Dutch approach to critical infrastructure protection has historically been lighter than the French or the German model. It relies on private operators to manage their own security under guidance, with the state retaining the right to intervene when private effort proves insufficient. This works as long as private operators have both the means and the incentive to act. When neither holds, the coordinator's role becomes uncomfortable, because coordination without authority produces reports rather than results. The transposition of NIS2 into Dutch law as the Cyberbeveiligingswet, replacing the older Wet Beveiliging Netwerk- en Informatiesystemen, is meant to harden this asymmetry. It introduces registration duties, incident reporting timelines and supervisory powers that go beyond what the previous regime envisaged. Whether the AIVD, the General Intelligence and Security Service, and the inspectorates can scale to enforce the new framework is a separate question, and one the Dutch security community is still answering in practice.

CISA's recent advisories on operational technology, NIST CSF 2.0 and IEC 62443 form the technical backdrop against which Dutch operators now have to demonstrate compliance. The Netherlands does not invent its own standards in this space. It applies international ones, sometimes faster than its neighbours, sometimes slower.

The Vital Processes Catalogue

The Dutch vital processes catalogue lists, in its most recent public form, processes across drinking water supply, electricity, gas, oil, nuclear material, financial transactions, identity and authorisation services, communications, transport, food and several categories of digital infrastructure. The catalogue is updated periodically, and the updates matter, because each addition or removal changes the perimeter of legal obligation.

Two observations apply across the catalogue. The first is concentration. The Netherlands is small, and its vital processes are physically concentrated to a degree that few other European countries match. The Rotterdam port complex, the Schiphol airport node, the Amsterdam Internet Exchange, the gas hubs in Groningen and at Bergermeer, the chemical cluster at Geleen, and the high-tech corridor running from Eindhoven through Veldhoven all sit within a radius that a determined adversary could survey in a single day. Concentration produces efficiency in normal times and exposure in abnormal ones.

The second observation is dependency. Several vital processes depend on a single operator or a small group of operators. TenneT for high-voltage transmission. Gasunie for gas transmission. KPN for fixed telecommunications. Schiphol Group for the main aviation node. The Port of Rotterdam Authority for the port. AMS-IX for internet exchange. When the operator is effectively singular, the resilience of the process equals the resilience of that operator. There is no second supplier waiting to take over.

This is where the Dutch model differs from the German one. Germany has more redundancy by federal accident. Multiple states, multiple operators per sector, multiple regulators. The Netherlands has less redundancy by national design. Efficiency is a constant Dutch value, and efficiency in infrastructure means consolidation. The trade-off is now visible. A single ransomware incident at a logistics operator in 2021 shut down the largest cheese supplier in the country for days, and the disruption rippled into Belgian and German supermarkets. A single fibre cut in the wrong place can isolate large parts of the financial sector for hours. The catalogue describes processes. It does not describe the thinness of the underlying redundancy.

ISO 27001 and NIST 800-53 give operators a language for risk management. They do not give the state a substitute for physical diversification. That is a political decision, and the Netherlands has not, so far, taken it.

Rotterdam: The Port as a Security Problem

Rotterdam is the largest port in Europe by tonnage. The port authority manages a perimeter of more than one hundred and fifty kilometres of quayside, several thousand hectares of industrial terrain, and a tenant base that includes oil majors, chemical producers, container terminals run by global operators, and a logistics layer that touches almost every supply chain in northwest Europe. The security problem is not one problem. It is at least four.

The first is physical. The port is too large to fence and too dispersed to monitor from a single operations centre. The port authority operates the Harbour Coordination Centre and works with the Seaport Police, the Koninklijke Marechaussee at certain terminals, and customs. Coverage is layered, not continuous. The vulnerabilities the port has confronted publicly in recent years are mostly in container handling: organised crime networks that compromise port workers, IT staff at terminal operators or independent hauliers to extract specific containers from the flow. Dutch police and customs have made substantial seizures, but the underlying economics of the cocaine trade through Rotterdam have not changed, and the indication is that compromise of port personnel continues.

The second is cyber. Terminal operating systems are complex industrial software stacks that touch crane control, vessel scheduling, container tracking and customs interfaces. They are, in IEC 62443 terms, blended IT and OT environments where segmentation is often imperfect. The 2017 NotPetya incident, although it originated elsewhere, hit Maersk's terminal operations in Rotterdam and demonstrated how a single supply-chain compromise propagates through global container logistics. The lesson has been internalised at the operator level, less consistently across the long tail of smaller tenants.

The third is hybrid. The port is a target for state-linked sabotage scenarios, particularly involving energy infrastructure: LNG terminals, pipelines, electricity feeds, and the storage capacity that connects Rotterdam to the German chemical industry. The AIVD and the MIVD have been explicit in their annual reports about Russian and Chinese interest in mapping European critical infrastructure. Rotterdam features prominently in any such map.

The fourth is regulatory. The port operates under Dutch law, European maritime regulation, ISPS code requirements, and the customs and chemical safety regimes. The compliance surface is enormous, and operators routinely report that the cost of demonstrating compliance now competes with the cost of actual security improvement. This is not a Dutch problem alone. It is a structural feature of how European regulation has accumulated. But it shows up sharply in Rotterdam because the operator base is sophisticated enough to measure it.

A serious security posture in Rotterdam combines perimeter sensing, mobile camera platforms at construction and expansion sites within the port, AI-supported event detection that handles the volume without burying operators in false positives, and explicit cyber-physical convergence with terminal operating systems. The infrastructure exists. What varies is the integration, and the discipline to maintain it through ten-year operating cycles rather than three-year project cycles.

Eindhoven and the Lithography Question

ASML is the second crown jewel and, in geopolitical terms, the more singular of the two. The company is the only producer of EUV lithography systems, the machines that allow semiconductor manufacturers to print transistors at the most advanced nodes. Without ASML, there is no leading-edge chip industry. This is not a statement about market share. It is a statement about physics, optics, and twenty years of investment that nobody else has matched.

The security problem at ASML is different from the security problem at Rotterdam. The port is too large to defend completely. ASML is small enough to defend, but the threat profile is unusually targeted. Industrial espionage from state-linked actors has been a documented concern for years. ASML has disclosed multiple incidents involving former employees, supplier compromises, and attempts to extract proprietary information. The Dutch government has, under pressure from Washington, applied export controls that restrict the sale of the most advanced systems to certain destinations, and these controls have raised the strategic profile of the company further.

The protection model around ASML has several layers. Physical security at the Veldhoven campus and at supplier sites in the region. Personnel security, including vetting and ongoing monitoring of access. Cyber defence at a scale that exceeds what most Dutch companies maintain. Supply chain assurance that reaches into hundreds of specialised suppliers, many of them concentrated in the same Brainport region. Cooperation with the AIVD and the MIVD on counter-intelligence. And a layer of physical infrastructure protection around the broader high-tech ecosystem, including the optics supplier Carl Zeiss SMT in Germany, which is functionally inseparable from the ASML system.

The vulnerability that gets discussed least in public is the supplier base. ASML assembles. It does not manufacture every component. Several hundred suppliers contribute critical parts, and the security maturity across this base varies. A determined adversary attacking the ecosystem rather than the prime contractor would find softer targets. The Dutch government and ASML are aware of this, and the supplier security programme has been expanded in recent years. Whether it has been expanded fast enough to match the threat is the question that nobody can answer in public.

ASIS International best practice and the NICB benchmarks on industrial security give a baseline. What ASML requires is above that baseline, and the gap is not closed by reading guidelines. It is closed by building the kind of integrated security architecture that combines physical, personnel and cyber controls under one governance structure. The companies that do this well share a feature: they treat security as an engineering discipline, not as a compliance function.

The Coordination Gap

The Dutch system has a coordination gap between policy and operations. The NCTV sets direction. The AIVD and the MIVD produce intelligence. The inspectorates supervise. The operators execute. Between these layers, information moves, but it does not always move at operational speed, and it does not always move with the granularity that operators need to act.

This is visible in incident response. When a major Dutch logistics or industrial operator is hit by ransomware or a hands-on-keyboard intrusion, the path from detection to coordinated national response is not as short as it should be. The National Cyber Security Centre, integrated into the NCTV structure, has improved this path significantly over the past five years, and the new Cyberbeveiligingswet sharpens reporting obligations further. But the underlying issue is structural. A country that prefers coordination over command produces faster decisions inside individual operators and slower decisions across the national system.

The same coordination gap appears in physical security. The Seaport Police, the Koninklijke Marechaussee, the regional police, the port authority and private security at terminals each have authority over part of the picture. Joint operations work when they are prepared in advance. They strain when the situation is unprecedented. The 2022 incidents involving suspected espionage activity near Dutch offshore infrastructure, and the broader European concern about subsea cables and pipelines, have produced new arrangements with the Royal Netherlands Navy and with NATO partners. These arrangements are recent. Their durability under stress has not been tested at scale.

BSI in Germany and CISA in the United States have moved toward more directive postures over the past decade. The Dutch model retains more consultation. There are good reasons for this preference, including the size of the country and the density of trust between government and private operators. There are also limits. When the threat picture demands speed and authority, consultation slows down. The next phase of Dutch critical infrastructure policy will probably see a quiet shift toward more directive instruments. The Cyberbeveiligingswet is part of this shift. More will follow.

What Operators Can Do Now

For operators in the Dutch vital processes catalogue, three priorities are concrete and within reach. The first is to close the gap between IT and OT security governance. Most operators still run these as separate functions with separate budgets and separate reporting lines. The convergence of attack surfaces does not respect this separation. A single risk owner with authority across both domains is more effective than two heads of department who coordinate.

The second is to invest in physical security technology that scales. Static perimeters, classical guard services and ad hoc camera installations do not scale to the perimeters that the Dutch vital processes actually have. Mobile camera platforms with autonomous power, AI-supported video analytics that reduce false alarms to a tolerable rate, and integration with operational control rooms produce more effective coverage at lower marginal cost than additional headcount. This is true at the port, at logistics terminals, at high-tech campuses, and at the construction sites that the Dutch infrastructure renewal cycle will produce in growing numbers over the next decade. The book BOSWAU + KNAUER. From Building to Security Technology develops this argument from the manufacturer's perspective.

The third is to accept that supplier security is now part of own security. NIS2 codifies this in regulation. The practical implication is that vital operators need to extend their security expectations to their critical suppliers, audit those expectations, and treat supplier incidents as their own incidents. This is uncomfortable because it increases cost and complicates relationships. It is also unavoidable. The attacker's economic incentive is to find the weakest link, and the weakest link in a Dutch vital process is rarely the prime operator.

What Holds

The Netherlands has a clear-eyed view of what it has to protect. The catalogue is honest, the threat assessments are sober, and the institutional architecture around the NCTV is competent. What the country has not yet fully internalised is the gap between the policy framework and the physical and cyber reality of running infrastructure that the rest of Europe depends on. Rotterdam and Eindhoven are not problems that can be solved with coordination memos. They are problems that require sustained investment in integrated security architecture, supplier governance, and operational discipline over decades.

The two crown jewels are under pressure, and the pressure is not going to ease. Russian interest in European energy infrastructure, Chinese interest in semiconductor capability, and organised crime's interest in container logistics are structural features of the security environment, not phases. The Dutch state cannot defend the crown jewels alone. The operators cannot defend them alone either. The next phase of Dutch critical infrastructure protection will be defined by how well the two sides combine, and by how willing each side is to accept obligations that were politically inconvenient five years ago.

For operators ready to move from policy to architecture, the practical next step is a structured audit of the integrated security posture, three to five days on site, with a defined deliverable that survives without further consulting. That is Path II in the BOSWAU + KNAUER framework. For operators not yet sure where they stand, a one-hour confidential conversation is enough to draw the map.

Frequently asked questions

What is NCTV?

The Nationaal Coördinator Terrorismebestrijding en Veiligheid is the National Coordinator for Security and Counterterrorism, sitting within the Dutch Ministry of Justice and Security. It coordinates national counterterrorism policy, maintains the catalogue of vital processes, publishes the annual Cybersecurity Assessment Netherlands, and houses the National Cyber Security Centre. The NCTV is a coordinating body rather than an operational agency. It sets direction and convenes the institutions that actually operate, including the AIVD, the MIVD, the inspectorates and the private operators of critical infrastructure.

Which sectors are vital?

The Dutch vital processes catalogue, maintained by the NCTV, covers drinking water, electricity, gas, oil, nuclear material, financial transactions, identity and authorisation services, communications, transport including ports and aviation, food supply, and several categories of digital infrastructure. Processes are classified as category A or category B depending on the scale of cascading damage their disruption would produce. The catalogue is updated periodically. Inclusion triggers obligations under the Cyberbeveiligingswet, which transposes NIS2 into Dutch law and replaces the older Wbni framework.

How is Rotterdam protected?

Rotterdam combines several layers. The Port of Rotterdam Authority operates the Harbour Coordination Centre and manages access at port level. The Seaport Police handles law enforcement within the port. The Koninklijke Marechaussee covers selected terminals. Customs operates container scanning and risk-based inspection. Terminal operators run their own physical and cyber security. Coordination with the AIVD, the MIVD and the Royal Netherlands Navy addresses hybrid threats. ISPS code requirements apply at international terminals. Integration across these layers is the perpetual challenge.

What protects ASML?

ASML protection operates on multiple layers: physical security at the Veldhoven campus and supplier sites, personnel vetting and ongoing monitoring, cyber defence at advanced industrial scale, supply chain security covering hundreds of specialised suppliers in the Brainport region, and counter-intelligence cooperation with the AIVD and the MIVD. Dutch export controls, coordinated with United States policy, restrict the sale of the most advanced EUV systems to certain destinations. The supplier base remains the area of greatest residual vulnerability, and the supplier security programme has been expanded substantially in recent years.