Municipalities manage large amounts of sensitive data and critical Operational Technology. From resident data to systems that control vital infrastructure, such as drinking water supply, traffic control systems, or city lighting. All of this data and these systems must remain continuously available. But how do you ensure this? And why is now the time to start?
Municipalities are overflowing with data and systems. That works well, but it is also vulnerable. Rapid digitization is causing the number of networked systems and data sources to grow rapidly. At the same time, risks are increasing due to geopolitical tensions, and residents expect more than ever that technology will be reliable and personal data will be well protected. Meanwhile, standards and legislation are placing ever higher demands on your cybersecurity.
Let's be clear: this calls for a robust cybersecurity approach. And now is precisely the right moment to do so. With the 2026 municipal elections on the horizon, there is room for new plans, priorities, and budgets. That makes this the perfect moment to put cybersecurity back on the agenda and incorporate it into policy.
Many municipalities still lack sufficient oversight. What systems do we have in place? What security measures have been taken? And above all: who is responsible? Without clear leadership, cybersecurity often remains suspended between departments, preventing improvements from being made.
This lack of overview also makes it difficult to comply with mandatory standards such as BIO2 and NIS2. And while municipalities are experimenting with artificial intelligence to make work and services more efficient, cybersecurity often remains a side issue. By taking the initiative now, you can change that. So that cybersecurity becomes a strength rather than a risk.
Achieving better cybersecurity starts with the basics. Dozens of penetration tests we have conducted at municipalities show that these basics are often lacking. For example, many employees still regularly use passwords that are easy to guess. These five steps will help you improve your cybersecurity foundation:
An ISMS helps you gain control over the protection of information within your organization. It supports the assessment and further development of measures, so that areas for improvement become visible in a timely manner.
By having regular technical security tests carried out by cybersecurity specialists, you can identify threats in good time and tackle them in a targeted manner. Examples include penetration tests and vulnerability scans of your IT and controlled technical tests in the OT environment.
The weakest link in your cybersecurity? People. By making employees more aware of cyber threats, you can significantly reduce the risk of data breaches. Training courses, workshops, and phishing simulations contribute to this. For example, have you already considered how you will fulfill the NIS2 obligation regarding training your mayor and aldermen?
Incident Response Teams are ready to help you immediately in the event of a cyber incident. But if you only call when something goes wrong, you will probably end up at the back of the queue. By making agreements in advance, you will receive help faster, and often more cheaply.
Monitor your organization's cybersecurity and all possible access points or vulnerabilities. This allows you to nip any problems in the bud at an early stage.
The municipal elections on Wednesday, March 18, 2026, offer a unique opportunity. After all, they will be followed by coalition negotiations and discussions about the new budget. If you have a concrete plan of action in place by then, it will increase the likelihood that the new municipal executive and city council will actually invest in cybersecurity.
Digital security is also becoming increasingly important in national politics: there is even talk of a minister for Digital Affairs. In addition, the Council of Ministers recently approvedthe new Vision for Digital Autonomy and Sovereignty of the Government. Municipalities can now set a good example by making cybersecurity an explicit part of a municipal executive member's portfolio.
Cybersecurity deserves attention within every municipality. The first step? Appoint someone to be responsible for it. Have that person put cybersecurity on the internal agenda and start drawing up an action plan. The better that plan is before the elections, the greater the chance that you will actually be able to implement it afterwards.
