NATO summit exposes cyber risks for companies

There is no doubt that the Netherlands is a target for cyberattacks surrounding the NATO summit on June 24 and 25, 2025, in The Hague, says cyber expert Lokke Moerel. Stephan Nanning, Director of Security & Compliance at KPN Network, confirms this: “For KPN, thousands of attacks per day are already business as usual. It’s only logical to expect that number to rise in the run-up to the NATO summit. KPN is on high alert.”

In light of the NATO summit, Lokke Moerel and Stephan Nanning discuss the urgency of cybersecurity and the role the TIAS Advanced Program in Cybersecurity & Governance can play in strengthening organizations’ cyber resilience.

Lokke is Professor of Global ICT Law at Tilburg University, a member of the Cyber Security Council, and co-Academic Director of the TIAS program alongside Freddy Dezeure. Stephan is an alumnus of the TIAS cyber program and, in his role at KPN, is focused daily on cybersecurity and compliance with all cybersecurity regulations—including the Telecommunications Security and Integrity Regulation of the Netherlands' Digital Infrastructure Inspectorate (RDI), and the upcoming tightening of NIS2 for companies active in critical infrastructure.

The reality

Lokke: “The Netherlands is not only hosting the NATO summit, but is also one of the largest supporters of Ukraine. That’s why Russian espionage, sabotage and disinformation are serious concerns that everyone is preparing for. This is the reality we’re facing. The Dutch Military Intelligence and Security Service (MIVD) recently warned that hackers from the Russian intelligence services are actively using cyber espionage to collect information—among other things—about arms shipments to Ukraine passing through the Netherlands. The espionage infrastructure that Russia has already installed for this purpose will certainly also be used to disrupt the NATO summit.”

Collaborating with Defense
KPN, as part of the Netherlands' critical infrastructure and traditionally the telecom provider for defense, police, and several ministries, is right at the center of it all. Stephan: “In recent years, we’ve been actively working on aligning our core processes—such as vulnerability management, asset and configuration management, endpoint protection, and system hardening—with the increasing global cyber threat. Additionally, collaboration between defense, police, ministries, and KPN has intensified to ensure that cybersecurity measures are properly aligned with the cyber threats posed by the NATO summit. We’re also looking into the possibility of physical sabotage. For example, we’re checking whether all street cabinets are properly locked. Everything is being double-checked.”

Maintaining resilience
According to Stephan, KPN’s heightened alertness is all about resilience. “The NATO summit underlines - once again -  how important that is. And I mean not only the resilience of businesses but also of ordinary people like you and me—whether physical, private, or digital. Our CISO has been working for years to continuously improve that resilience. A key part of this is simply ensuring that all your assets—all of them—are perfectly managed. That you know where they are, whether they’re up to date, which patches are running, and that you apply patches in a timely manner. If you're consistent in managing business continuity, endpoint protection, incident response, and vulnerability management, your resilience will be significantly stronger. That’s exactly what KPN is now laser-focused on.”

The top 3 risks for every organization
“With the NATO summit as a clear example, every study shows that cyber risks consistently rank in the top three risks for every organization,” emphasizes Lokke. “Even if an organization does not fall under NIS2 or DORA, every executive should take responsibility. If a board member says, ‘I don’t have to comply with NIS2, so I’m off the hook,’ that is no longer justifiable in my view. Cybersecurity risks are a strategic risk. It is no longer sufficient to simply delegate responsibility to the IT department or the information security officer, or to limit involvement to the annual approval of budgets.”

“And this must also be reflected in your governance,” Stephan adds. “For example, our CISO provides an update to the board of directors and the supervisory board at least once a quarter. This is very much in line with what TIAS recommends in its advanced cyber program as best practice. The structure and suggestions from TIAS on how to inform the board and translate this into management at every level of the organization have largely been adopted by KPN.”

Multidisciplinary approach
“That’s because cyber governance is a relatively new field,” Lokke explains. “What is good cyber governance? What does a board need to know to effectively manage something so new? What questions should the board ask the CISO? What are the responsibilities of the CISO, and on which topics should they report? In the advanced program at TIAS, we try to align these issues in a multidisciplinary way with the best experts. And because the participants in the program hold leadership positions, it’s not just one person learning something new—the knowledge gained is, at least that’s our hope, passed on to others within the organization.”

Learning from each other
“What’s great,” Lokke continues, “is that the program includes many seasoned professionals who contribute actively to the discussions during the modules. You’ll hear things like, ‘Do we all really agree on this?’ or ‘This may be the rule, but it’s not realistic in practice—here’s how we comply.’ Not only do the participants learn from each other, but so do the experts teaching the sessions, and Freddy and I as the Academic Directors of the program.”

Applicable knowledge
Stephan: “What makes the program especially valuable for me is the combination of academic knowledge on one side, and very senior professionals explaining how they apply—or don’t apply—that knowledge in real life, and why. Think of CISOs from companies like ASML, Akzo Nobel, and KPN acting as co-hosts and sharing how they manage cybersecurity and compliance. You can apply that directly. One particularly concrete part is the vulnerability management module by Professor Michel van Eeten from TU Delft. He focuses on risk-based management instead of using a standard vulnerability rating like the Common Vulnerability Scoring System (CVSS).”

Risk-based risk management
“You can have a vulnerability with a high CVSS score that’s rarely targeted, and another with a lower score that’s frequently targeted. After that lecture, I immediately asked internally at KPN how we would adopt this risk-based approach. The program equips me to ask the right questions. A few weeks ago, we transitioned to a risk-based approach to vulnerability management. That means we now have an even sharper strategy for addressing weaknesses in our network.”

Cyber crisis simulation: real stress!
“Another part of the program I found really impressive,” Stephan continues, “is the cybercrisis simulation with Fox-IT and Morrison & Foerster that wraps up the course. Why? Because such a tabletop exercise creates not just urgency—but stress. You forget it’s a fictional case. You feel real stress. And what’s great is that the chaos keeps escalating. After the simulation, you compare how different teams handled the crisis. You learn so much from that. I now plan to organize a similar simulation within my business unit for management, so they also experience that urgency firsthand.”

You think you know it all..
Lokke: “The point is—and I experienced this myself the first time in a simulation—you think you know a lot beforehand. But when it happens, you suddenly think, ‘Oh no, what now?’ You just don’t know. Then you realize how useful it would be to have the top ten action items listed out and ready to go. After such an exercise, you start putting that list together. You also realize you need to have it on paper, because all IT systems might be down.”

The necessary shock
“In those first stressed-out minutes, it’s crucial that you know who to reach and where to find them. You quickly see that your existing crisisplan isn’t practical enough. It’s not concrete. The simulation shows that all your knowledge still leaves you unsure what to do. People need a wake-up call to turn something that’s not a priority into a top priority. After realizing, ‘we’re not in control,’ comes the mindset: ‘we’re going to prevent this.’”

Practice-oriented integration of relevant disciplines
“Because the field is so new,” Lokke continues, “there’s no handbook on how to become a good CISO. In our Advanced Program Cybersecurity and Governance, we bring together the latest knowledge from the best experts across relevant disciplines and combine it with real-world experience from CISOs at leading Dutch companies. That creates coherence. After all, the participants in the program are the ones who need to have that big-picture oversight.”