Research on the Cyber Resilience of Dutch Municipalities in an International Security Context

This research was commissioned by the Impact Coalitie Safety and Security (ICSS) and conducted as part of a master’s thesis in Law and Politics of International Security at Vrije Universiteit Amsterdam. It forms part of HSD’s Smart Secure Societies Programme and examines the intersection between local cyber resilience and international peace and security law. The study explores how Dutch municipalities respond to cyberattacks, the extent to which international legal frameworks guide their strategies, and offers recommendations to strengthen municipal capacity within the broader global cyber resilience context.

Cities are on the frontline of global cyber conflict. By integrating digital technologies into their operations and public services, municipalities advance efficiency. However, this also increases risks, including exposure to cyberattacks from foreign state actors. While international laws on cyber conflict could provide crucial guidance on municipal cyber-policy, they are currently absent from the local toolbox. This research explores how Dutch cities respond to cyberattacks, and whether their response protocols are guided by international peace and security law. It also presents recommendations to empower municipalities to act strategically within the global cyber resilience framework.

Digital technologies are transforming cities at breakneck speed. From intelligent traffic management and sensor networks to digitalised social safety and public services, Smart Cities are redefining how urban life is organised. The Netherlands, with its forward-leaning approach to digital innovation, has embraced this transformation. But as local governments adopt IT- and OT-driven strategies to manage critical services, they also expose themselves to unprecedented and border-crossing exploitation of vulnerabilities.

These vulnerabilities unfold in a domain where legal and political boundaries remain largely uncharted. To shed light on this gap, recent research examined how Dutch municipal cyber strategists respond to cyberattacks - and to what extent they draw on international peace and security law for guidance. The results are both noteworthy and thought-provoking: although cities are emerging as frontline targets in global cyber conflicts, their defensive strategies remain almost entirely disconnected from the international legal frameworks that govern war and peace.

From city walls to firewalls

Historically, cities defended their citizens with stone walls and fortifications. Security was a visible, physical promise: to keep enemies out and urban life safe within. Today, physical facades have transformed to digital barricades. In an era where daily life depends on interconnected systems, firewalls and cyber defences must now safeguard everything from power grids and emergency response networks to hospitals and ports. The stakes are high.

For instance, a major cyberattack on Rotterdam, home to Europe’s largest port, could destabilise logistics and trigger broad economic and social consequences. This illustrates how deeply local disruptions can resonate at the national level, and why strong municipal cyber policies are vital in the Dutch context. In this new reality, cities remain guardians of their citizens’ security. Yet, the battlefield has shifted to the digital domain where every service, system, and structure is wired together.

According to The Netherlands Cybersecurity Strategy 2022-2028, international cyberthreats are growing bigger and are more often politically charged. It is typically cities that take the first hit and mount the first response. But unlike nation-states, local governments lack the resources and legal tools to see these assaults as anything beyond day-to-day crises, even when they carry the fingerprints of hybrid warfare.

The research: probing the global–urban security nexus

Cyber incidents have become routine for Dutch municipalities. This study combined doctrinal legal analysis, international relations theory, and empirical inquiry through interviews with municipal senior cyber-strategists and national cybersecurity professionals. The interviews revealed that phishing, ransomware, and distributed denial-of-service (DDoS) attacks are the most common. Yet, these incidents rarely reach the severity of an “armed attack” under international law. Instead, the picture that emerges is one of uneven capacities: most cities lack the forensic expertise to trace attacks independently and must rely on private companies or national intelligence services. Crisis management, meanwhile, is guided by the GRIP framework, which is designed to safeguard continuity and vital services, yet has almost no connection to international legal frameworks on peace and security.

The bottleneck: attribution and law

Formally, international peace and security law applies (largely) to cyberspace, specifically the regulation of the use of force and the right to self-defence among states. In practice, however, its use remains severely limited. The key obstacle is attribution: determining who is responsible for a cyber operation is technically complex, politically sensitive, and legally demanding. Even states struggle to invoke frameworks such as International Peace and Security Law under these conditions. For municipalities, the gap is even wider. Operating at a different legal and geographical level, they lack both the authority and the resources to apply these norms. As a result, international law on warfare is effectively absent from their playbooks, leaving local officials dependent on crisis-management tools like GRIP while legal prosecution remains out of reach.

Fragmented governance, rising risks

Beyond attribution, this research has highlighted a broader issue: fragmented governance. Municipalities described coordination with national authorities as inconsistent and often reactive, with some even calling for structural reforms such as the creation of a Ministry of Digitalisation. While regulatory frameworks like the EU’s NIS2 Directive and the Dutch BIO2 standard provide direction, their local implementation remains patchy and uneven. Experts further warned that only cyberattacks of extraordinary severity might justify invoking international law. Yet, attribution hurdles and political sensitivities make infringing such thresholds nearly unreachable. Municipalities thus find themselves trapped - caught between rising exposure to state-backed cyber threats and a legal system designed to operate at the national rather than the local level.

Broader Relevance

The implications extend far beyond the Netherlands. As urban life worldwide becomes increasingly dependent on digital technologies, cities are emerging as frontline nodes in geopolitical cyber conflicts. Countries experiencing conflict or political instability are especially at risk, as weak governance structures and fragile infrastructures leave them more exposed to digital threats. These municipalities are dangerously underprepared, both technically and legally. This gap matters not only for the territories directly affected but also for the wider international legal and policy community. Municipal resilience is becoming a cornerstone of global stability. Cities are no longer peripheral actors in international peace and security; their ability to withstand and respond to cyber threats carries global consequences. There is untapped strategic potential of cities within the global urban security nexus.

A Call for Recalibration

The study calls for stronger coordination between national and local levels, expanded forensic capacity, and clearer legal pathways for interpreting cyber incidents. Policymakers are urged to recalibrate the role of cities in the global security architecture. While municipalities are not signatories to the UN Charter, they are deeply embedded in the peace and security ecosystem it seeks to uphold. Bridging the gap between international norms and local realities is therefore urgent. Strengthening the role of cities in cyber governance will not only bolster local resilience but also reinforce the practical relevance of international law in an era where invisible digital attacks can destabilize societies as profoundly as conventional warfare.

A complete summary of the research, along with additional recommendations designed to bridge the gap between international law and local operational practice, can be found here. For further questions or comments, feel free to reach out to simone.hefting@securitydelta.nl (researcher) or mark.ruijsendaal@securitydelta.nl (programme director).

Impact Coalitie Safety & Security is a collaboration between municipalities, the police, knowledge institutions, businesses, VNG, and Security Delta. It acts as a catalyst and agenda-setting platform for cities, accelerating the adoption of smart city innovations that enhance urban safety and security.

Photocredits: Istock/greenbutterfly