In 2024, Els De Busser and I (Parto Afshari) published: The New F-word: the case of fragmentation in Dutch cybersecurity governance. The central question in this paper is whether this cybersecurity governance landscape could be regarded as fragmented in the first place. In spite of lacking thresholds for when institutional structures can be regarded as such, the 29 organisations we found divided over 7 ministries, made a convincing case. And now, two years later, there is already a slight shift towards more integration.

Since January 2026, the National Cyber Security Centre (NCSC, Ministry of Justice and Security), the Digital Trust Centre (DTC, Ministry of Economic and Climate Affairs), and the Computer Security Incident Response Team for Digital Service Providers (C-SIRT-DSP, idem), have officially merged into one organisation: the NCSC. Positive news, as this step will harmonise their practices, increase effectivity, and create a central point for Dutch vital infrastructure and public and private organisations for matters related to cybersecurity and threat information.

The House of Cyber

The House of Cyber announcement is taking integration to a next level, and is prospected to enhance collaborations and information sharing between partners working on cybersecurity. This initiative, following the French model of 'Campus Cyber', has already been proposed a few years ago by the former director of the NCSC. The coming House of Cyber now seeks to be the place where multiple public and private organisations can come together to work on cybersecurity in one building, located in The Hague (Mariahoeve). It seeks to house a plethora of both public and private organisations, including but not limited to: the NCSC, the National Police, Ministry of Defence, TNO, and the Hague Security Delta.

A unique step, given the spatial fragmentation these organisations are currently subject to. Spatial fragmentation implies the physical distance between actors and organisations. This integration may facilitate easier recognition of partner organisations, the intensification of collaborations, faster information and knowledge exchange, informal interaction, and more effective coordination during acute cyber threats. Additionally, with the creation of a centre in which expertise is centralised, the shortage of (technical) cybersecurity expertise can be mitigated. This would not only result in the sharing of expertise, but also alleviate the current competition for it among public and private organisations. By omitting the physical barrier of spatial fragmentation, travel time between organisations and institutions could be reduced, and entry procedures could potentially become faster and more harmonised.

Further considerations include the potential creation of a common culture in which the distinct public or private organisational cultures could blend into a more collectivist culture with a common raison d’être and goal: strengthening digital resilience.

Recent cyber attacks in the Netherlands have only further illustrated the urgency for enhanced collaboration in this pursuit. Take the hack on telecom provider Odido, which has demonstrated once again how both public and private partners are inextricably linked. Examples being the NCSC and the Ministry of Economic Affairs maintaining close contact with telecom providers on prevailing cyber vulnerabilities and threats, and the collaboration with sector organisations through one of the many sector specific Information Sharing and Analysis Centers (ISACs) that are based in the Netherlands. Or the close communication between the Dutch Police, the Dutch Data Protection Authority, Odido, and Veiliginternetten.nl: to assess the potential misuse of the leaked data, and provid tips to victims for the mitigation of these consequences. 

Challenges

The more relevant question, however, is not whether this measure is desirable, but rather what potential challenges are worth considering. I will discuss three of them here.

First, it raises questions about the extent to which organisations will have the required legal mandates to share information among each other, as the existing legal barriers will not disappear with a shared roof.

Second, moving in together may reduce some physical barriers, but while the organisations will share a main entrance, they will remain separate entities. This raises questions about the varying access and security protocols the organisations respectively apply. Imposing additional barriers to access and exchange ‘in house’ might therefore dilute the very purpose of this initiative. With the risk of sounding Kafkaesque, I argue that the pursuit for more coordination and integration could, paradoxically, tighten existing constraints within the governance of cybersecurity, with additional red tape. 

Third, moving distinct cyber teams of a variety of public and private organisations to one shared building, simultaneously detaches these teams from their respective organisational contexts and cultures. Integration in one domain may inadvertently result in fragmentation in another. Striking a balance between these two is therefore worth considering.

Ultimately, however, the House of Cyber is a promising initiative that enhances integration and is an integral approach in tackling digital threats and strengthening digital resilience. Still, the central question we need to keep asking ourselves is: to what extent are we truly fragmending the governance of cybersecurity?

• safety

Share on Facebook Share by Bluesky Share on LinkedIn Share by WhatsApp Share by Mastodon