Digital Security and the Role of Municipalities I Recap Smart Safety & Security Talk

On 26 February 2026, the Smart Safety & Security Talk focused on digital security and the governance challenges faced by municipalities. Frank van Summeren presented insights from the study Cyber Resilience within Municipal Boundaries and the ongoing development of the Administrative Covenant on Digital Security,  which centres on municipalities’ cyber resilience. The findings have been published in the reports Cyber Resilience within Municipal Boundaries | VNG (NL) and Study clarifies the role of municipalities in digital security | VNG (NL).

The study was carried out by Frank van Summeren on behalf of the Ministry of Justice and Security, the Ministry of the Interior and Kingdom Relations, the National Coordinator for Counterterrorism and Security (NCTV), the Association of Dutch Municipalities (VNG), and the G4 municipalities. It was conducted in the context of the Administrative Covenant on Digital Security and in relation to the Dutch Cyber Security Strategy.

The central question was: how can effective executive governance be organised in a domain where incidents evolve differently from the physical world?

A Broad and In-Depth Study

The presentation was based on a robust research foundation:

• Analysis of 100+ publications (research reports, evaluations, guidance documents)

• Examination of over 200 interviews with municipal leaders

• Input from around 60 stakeholders, including ministries, provinces, municipalities, the police, the Public Prosecution Service, safety regions, and RIECs

• Consultation with administrative bodies (including boards on safety, information society, and cyber mayors)

This comprehensive exploration provided insight into how the digital security landscape is developing and where tensions arise.

Nine Incident Types, Four Categories

The study identifies nine types of digital incidents, including:

• Incidents at institutions with societal impact

• Incidents affecting public infrastructure (OT/IoT)

• Cybercrime targeting businesses or citizens

• Misuse of citizens or companies for criminal activity

• Online public disorder and disinformation

• Incidents involving municipal processes and systems

These are grouped into four overarching categories:

1. Getting one’s own house in order

2. Cyber incidents and crises

3. Cybercrime and digitised criminality

4. Online-instigated public disorder

A key finding is that municipalities play a role in all four categories, often in coordination with other public and private actors.

Physical vs Digital: Different Dynamics, Different Governance

A major part of the analysis concerns the differences between physical and digital incidents. Digital incidents are characterised by:

• Uncertainty about the location of digital assets

• Strong interdependencies and network connections

• Multi-local or supra-regional scale

• Rapid visibility of impact, sometimes followed by sudden escalation

• A different temporal dynamic compared to physical crises

These features highlight that existing governance structures, largely designed for physical safety, do not automatically align with the digital domain.

At the same time, actors from the physical safety system, such as the police, Public Prosecution Service, and safety regions, can play an important role in the digital system. Many consultation structures, crisis processes, and escalation mechanisms already exist but need to be adapted for digital incidents.

Cold and Hot Phases: Where Lies Executive Responsibility?

The analysis shows that municipalities primarily have explicit legal duties and responsibilities when digital incidents actually occur and have societal impact—the so-called hot phase. This applies especially to cyber incidents and crises, cybercrime and digitised criminality, and online-driven public disorder.

Most existing policy, however, focuses on the cold and lukewarm phases, which centre on preparation, prevention, and resilience-building. This is not contradictory for municipalities: prevention is better than cure. In the cold phase, they can invest in cyber resilience, collaboration, and clear agreements on governance and mandate, enabling effective action in the hot phase.

A particular point of attention concerns the mayor’s authority. In the physical domain, their role in public order and crisis management is clearly defined by law. In the digital domain, this legal basis is less explicit, even though digital incidents can cause societal disruption or public order disturbances. This raises questions about intervention options, mandate, and executive governance during digital public disorder or large-scale cyber incidents with local impact.

Extensive Policy, Further Development Needed

More than one hundred guidance documents, policies, and initiatives on digital security have now been developed. The analysis shows, however, that further elaboration is required, particularly in the areas of:

• Duties and responsibilities

• Governance and mandate

• Alignment between policy and practice

• Development of instruments for the hot phase

It is also recommended that the digital security landscape be periodically updated, for example, every two years, using concrete case studies to better define governance needs.

Next Steps: Administrative Covenant on Digital Security

The study’s insights provide input for the development of the Administrative Covenant on Digital Security. This covenant will determine which conclusions and recommendations will be implemented by, among others, the Ministry of the Interior and Kingdom Relations (BZK), the Ministry of Justice and Security (JenV), the Association of Dutch Municipalities (VNG), and the G4 municipalities.

The report will also be widely shared so that municipalities can apply the insights locally.

Conclusion

The Smart Talk made clear that digital security is no longer a separate policy domain but an integral governance issue. Digital incidents behave differently from physical crises and require clear executive governance, defined responsibilities, and an update of existing governance structures.

Effective digital security relies not only on technology but above all on executive positioning and the joint development of the safety system.

Impact Coalitie Safety & Security is a collaboration between municipalities, the police, knowledge institutions, businesses, VNG, and Security Delta. It acts as a catalyst and agenda-setting platform for cities, accelerating the adoption of smart city innovations that enhance urban safety and security. More info: https://veiligesmartcities.nl/

Photocredits: Istock/gorodenkoff