1. What is the current legal landscape for Data Protection & Cybersecurity in your jurisdiction?

The Dutch data protection and cybersecurity landscape is strongly shaped by EU regulation, with the GDPR remaining the central framework for privacy compliance and enforcement. In the Netherlands, the GDPR is supplemented by the Dutch GDPR Implementation Act (Uitvoeringswet AVG) and a growing body of guidance and enforcement practice from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). We see a continued focus on accountability (governance, documentation, DPIAs), international transfers (e.g. SCCs/DTIAs), and digital consumer-facing practices such as tracking technologies, online choice architecture, and transparency.

On the cybersecurity side, the regulatory perimeter is expanding quickly. The Netherlands is transitioning from the current critical-infrastructure framework to the broader, risk-based NIS2 regime (with more entities in scope, more stringent governance duties for management bodies, and stricter incident reporting requirements). The Dutch NIS-2 implementing law is expected to enter into force in Q2 2026. In parallel, sectoral regimes are becoming more operational: DORA is driving a step-change in ICT risk management and third party oversight in financial services, while product and supply-chain security obligations are growing through EU-wide initiatives (e.g. cyber resilience and security-by-design requirements).

Overall, the legal landscape is moving from “policy compliance” to demonstrable operational resilience: regulators increasingly expect organisations to show that controls are implemented and work in practice.

2. What three essential pieces of advice would you give to clients involved in Data Protection & Cybersecurity matters?

(1) Treat privacy and security as governance issues, not just legal checklists.
Clients that perform best embed privacy and security into decision-making: clear ownership, management reporting, realistic policies, and evidence that controls are implemented. Regulators are looking for “proof of practice”: training completion, audit trails, vendor assessments, and tested procedures. Make sure that privacy governance is on-point: have the right operational controls and agreements between entities in place.

(2) Invest in third party and supply-chain risk management.
A significant share of incidents and GDPR issues originate with vendors (cloud, SaaS, payroll, marketing tech, processors/sub-processors). Strong contracting is key.

(3) Assume you will have an incident, prepare for speed and clarity.
Incident response readiness is the differentiator: an up to date playbook. Incident readiness is ultimately a governance and compliance issue: clear executive ownership, defined roles and escalation routes (legal/IT/security), and a maintained, auditable incident-response framework. Clients should operationalise decision trees for notification and stakeholder management, align them with reporting deadlines and communicate with regulators.

3. What are the greatest threats and opportunities in Data Protection & Cybersecurity law in the next 12 months?

A key threat is the continued expansion of regulatory obligations and the resulting enforcement and compliance burden. With broader cybersecurity requirements and more cross regulatory scrutiny, often involving privacy, security, consumer protection and digital regulation in parallel, clients face higher expectations, shorter timelines, and a greater need for consistent governance across functions. Another challenge is the operational strain created by reporting and evidence requirements during fast moving incidents: organisations may need to reach defensible conclusions under pressure while simultaneously managing containment, communications and stakeholder coordination. In addition, rapid adoption of AI tools is creating a new category of privacy and security risks, including questions around lawful processing, transparency, confidentiality, vendor governance and data leakage, often before organisations have mature controls in place.

At the same time, there are meaningful opportunities for clients who professionalise their governance and resilience. Organisations that integrate privacy, security and risk management into a coherent operating model are better placed to prevent incidents, manage them more effectively when they occur, and demonstrate “state of the art” practices in a defensible way. Strong privacy and cybersecurity posture is also increasingly a commercial differentiator in procurement and enterprise contracting, particularly in regulated sectors.

4. How do you ensure high levels of client satisfaction are maintained within your practice?

Clients value clarity and prioritisation, particularly in high pressure situations, so we translate legal requirements into practical steps, with clear decision points and an emphasis on defensibility. In addition, we focus on long-term collaboration rather than purely reactive support. That means investing in the relationship.

5. What technological advancements are reshaping your practice area, and how can clients benefit from them?

Generative AI is the single biggest technological driver reshaping our data protection and cybersecurity practice right now. Clients are increasingly focused – understandably so – on the efficiency gains that AI can bring to them. They increasingly expect from us shorter turnaround times, more consistent outputs, and advice that is easier to use across the business (i.e. more practical, less legalistic). At the same time, they expect us to be strict about quality and confidentiality: what can be shared with AI tools, how work is checked, and how the reasoning is documented. In short, AI raises the bar on both speed and discipline, and clients benefit when it results in faster, clearer advice. AI essentially amplifies a lawyer’s ability to deliver top expertise work in less time.