Six Months Working at the VNG – Where Digital Policy Meets Practice

Timon Domela Nieuwenhuis Nyegaard (Senior Consultant) reflects on his six-month experience as a Policy Advisor for Digital Safety at the Association of Dutch Municipalities (VNG). In this role, Timon explored the challenges and opportunities of translating high-level digital policies into practical solutions for municipalities, sharing key insights and milestones achieved during his tenure.

From June to December 2024, I fulfilled the role of Digital Security Policy Advisor at the Association of Dutch Municipalities (VNG). I was temporarily posted there by ADC, the data and AI consultancy where I work as a Senior Consultant. The role at the VNG felt a bit like coming home, given my previous work as a cybersecurity policy advisor at the Ministry of Economic Affairs.

Despite that previous experience, I gained many new insights into the ins and outs of digital security in the world of municipalities. The main thread is the challenges involved in translating abstract sectoral, national, and sometimes even European policies into the very concrete and practical context of the daily work of municipal officials. In this brief reflection, I outline a few of these insights.

To understand the work of a policy advisor, it is important to understand the role of the VNG. The VNG is an advocacy organisation for all 342 Dutch municipalities. Policies are determined by the General Members Assembly, and funding comes from membership contributions, resources for joint implementation (GGU), and government subsidies.

The VNG’s main tasks are:

1. sharing knowledge between municipalities
2. advocating for municipal interests at the national and EU levels, and
3. supporting municipalities in carrying out their work.

This places the VNG in a complex stakeholder environment with a shifting political landscape that requires a high degree of flexibility.

The VNG’s funding comes from various sources. But what happens if those sources run dry? That is exactly what is about to happen. Starting in 2026, the government will implement a new financing system. Money from the municipal fund will be allocated using a new distribution key. According to various calculations, municipalities will have €2 billion less to spend after 2025, leading to 2026 being dubbed “the cliff year” in municipal circles.

What does this mean for the VNG? Despite the budget cuts, there will be no cuts in contribution resources. However, municipalities will increasingly look to the VNG for support in carrying out their work. Budget deficits force municipalities to collaborate more, making the VNG’s role increasingly important.

One of the challenges where tight budgets are an obstacle is digital security. This is because municipalities will need to comply with stricter European cybersecurity legislation—the NIS2—by mid-2025. The Dutch implementation of NIS2, the Cybersecurity Act, requires municipalities to improve their digital security by adhering to a duty of care (for their digital infrastructure) and an obligation to report (digital incidents). The Dutch Authority for Digital Infrastructure (RDI) will oversee compliance with the Cybersecurity Act, with potentially hefty fines for non-compliance.

Municipalities have expressed significant concerns about the feasibility of NIS2, including through motions such as “No NIS2 in the chain before we know more” and “NIS2: no tasks without cash.” In other words, how can municipalities do more for digital security while receiving less money to implement new measures?

A logical follow-up question is: how much money do municipalities need to comply with the Cybersecurity Act? However, due to uncertainty about the practical implementation of the required measures and their precise impact on municipal operations, this question seems impossible to answer at the moment. Few areas highlight the gap (or “cliff”) between European policy and local implementation as clearly as this one.

“Boring, slow, and bureaucratic.” Not exactly the image you want as an employer. Yet, this is the “dusty image” that research from the A&O Fund (2023) attributes to municipalities. It is cited as a key reason why some municipalities struggle to recruit and retain staff.

Combine this with a growing global shortage of cybersecurity experts (19,000 unfilled positions in the Netherlands in 2022, according to the Ministry of Economic Affairs) and the resulting competition with large private-sector companies, and you have a recipe for disaster.

There is currently no exact figure for the number of unfilled cybersecurity roles in municipalities. However, it is expected that the arrival of NIS2 will cause this number to rise rapidly, showing that a lack of money is not the only problem municipalities face. But what kinds of people are needed? Don’t most municipalities already employ good IT staff? Data shows that a large portion of this workforce will retire in the near future (Social Economic Council, 2023).

Moreover, municipal cybersecurity work extends far beyond just technical tasks. Staff are also needed to tackle online-driven disruptions, plan for minimising the impact of major digital incidents, and engage with suppliers of digital products and services.

The consequence of the shortage of money, people, and technical execution capacity—combined with the looming dark cloud that is NIS2—is that many municipalities have ‘outsourced’ their digital security. Although municipalities remain formally responsible for their information security, in practice, there is often a heavy reliance on the expertise and decision-making of suppliers of ICT services or cloud solutions.

Since the number of suppliers is often limited, we can question the room for negotiation that remains for smaller municipalities, for example, when it comes to including or adjusting security requirements in procurement contracts, or the possibility of repercussions if agreements are not met. With good reason, stricter requirements have been included in the NIS2 regarding the security of digital supply chains.

Strategic digital autonomy is a hot topic with European policymakers. Many organisations make a ‘Faustian bargain’ where convenience is chosen over self-determination. Especially for smaller municipalities, it seems more a matter of necessity than a well-considered decision. But if this nut is already nearly impossible to crack at the European level, what scope remains for a municipality?

How do you prevent suppliers from passing on the costs of stricter security measures to municipalities? And how do you adjust an existing collaboration without breaking all ongoing contracts? The Digital Agenda for Municipalities 2028 plans to actively steer the translation of public values and digital rights into procurement and collaboration with suppliers of digital services. But given the challenges outlined above, how feasible is it for municipalities to actually take on this coordinating role in practice?

So… there is too little money, a staffing shortage, and a significant dependency on suppliers. Are municipalities inevitably doomed to digital insecurity and sky-high ‘non-compliance’ fines under the NIS2? Not necessarily. At the moment, digital security in municipal land feels a bit like the elephant in the room. And how do you eat an elephant? One bite at a time.

Firstly, we would do well to accept the following ancient cybersecurity wisdom: “100% security does not exist.” Technological developments go fast, and both attack methods and systems to be defended are constantly changing. Today’s patch can be tomorrow’s vulnerability. Cybersecurity purists and risk managers will even speak of security as a continuous state of awareness and adaptability. This makes perfect the enemy of good enough, and the major challenge municipalities now face should not result in a state of inactive paralysis. Every step forward counts.

We must determine where to begin. The answer to that question lies in the philosophy behind NIS2: a risk-based approach. The directive aims to increase digital resilience and limit the impact of cyber incidents across the EU. In other words, the main focus should be on those threats or vulnerabilities that can lead to incidents with a significant societal impact.

Municipalities should conduct a risk analysis for all digital processes within their own organisation and be given the opportunity to address the greatest risks first through an incremental growth path. To prevent 342 municipalities from reinventing the wheel 342 times, the VNG’s information security service (IBD) gives advice about the most common risks and how to mitigate them.

It is essential that the supervisor for NIS2, the RDI, strikes the right balance between the “carrot” and the “stick”. In August 2025, we won’t see vans with RDI inspectors parked oustide municipalities’ doors, says Jasper Nagtegaal, Director of Digital Resilience at the RDI, in an interview with Binnenlands Bestuur. During the interview, he states:

“It is quite possible that the RDI will eventually visit, but not to specifically review the information management of a single municipality. And those fines? Although the RDI does not immediately focus on enforcement, it is possible to impose fines on municipalities that are in serious violation. But you should think of situations where unacceptable risks arise or that cause great societal unrest, for example, if the services of a large municipality are disrupted for a long period of time.”

A situation with “the supervisor as your best friend” is probably not realistic. At the same time, both parties still need to figure out what NIS2 compliance will look like in practice. A collaboration based on trust is the fastest route to a targeted and proportional audit process. Ultimately, both the municipality and the supervisor have the same goal in mind: to make the Netherlands digitally safer.

The main thread is the challenges involved in translating abstract sectoral, national, and sometimes even European policies into the very concrete and practical context of the daily work of municipal officials. Digital security is a long-term challenge, and naturally, there are still loose ends after six months. Nevertheless, I conclude this role not only with new insights but also with several milestones.

I have helped the VNG to make their policy for NIS2 more concrete, drafted a strategic plan to address the shortage of digital security personnel, and, together with key stakeholders, taken the first steps towards working on digital supply management. The insights and experience I have gained I will take with me into my next projects to help public organisations with a secure and value-driven digital transition.

To learn more about this project and how it can be applied to your organisation, please reach out to Timon Domela Nieuwenhuis Nyegaard (Senior Consultant).