On this page you find the frequently asked questions.
No, the advice provided by the National Contact Point for Knowledge Security is not legally binding. The advice encourages knowledge institutions to take appropriate measures themselves.
The National Contact Point for Knowledge Security treats all your information as confidential. Would you like to report possible intelligence activities by governments of countries? Then contact the AIVD. They will treat your report as confidential.
Code of conduct
There are several codes of conduct on knowledge security. These are non-binding, but do give direction. For example, there is the National Guideline for Knowledge Security, the knowledge security framework from UNL and the EU guidelines on tackling foreign interference of the European Commission. Various countries have meanwhile developed comparable codes of conduct. These codes make it easier to discuss knowledge security with foreign partners.
Academic freedom and scientific reliability are the foundation of higher education and science in the Netherlands.
According to the KNAW, the basic principle of academic freedom is that staff members of scientific institutions are free to conduct their scientific research, publish their findings and teach. This freedom applies, among other things, to the choice of themes to be researched, the selection and application of their own research questions and methods and access to sources of information. As well as for publishing and sharing information through conferences, lectures and membership of scientific groups, the choice to cooperate with scientific partners and to provide scientific education.
In order to clarify what we mean by scientific integrity, the collective Dutch knowledge field (KNAW, NFU, NWO, TO2 federation, VH and UNL) has adopted a Dutch Code of Conduct for Scientific Integrity. In this code, the five principles that form the basis of sound research are elaborated in 61 standards for good research practices. The five principles are honesty, diligence, transparency, independence and responsibility. The code also contains guidelines on how to deal with alleged violations of scientific integrity.
Academic core values such as academic freedom and scientific integrity form the foundation of higher education and science in the Netherlands.
- The academic core values also serve as a guideline for activities with foreign partners. They offer guidance when entering into foreign collaborations. Foreign (guest) researchers and lecturers must - just like their Dutch colleagues - endorse and comply with the Code of Conduct.
- Open science is the norm in Europe: the aim is to make publicly funded research results accessible to everyone. However, there are legitimate reasons to refrain from publication. Think of the protection of national security. Make firm agreements in advance to prevent tension between the desire for maximum openness and the taking of legitimate protective measures.
- Ethical dilemmas can play a role if you cooperate with countries that do not respect fundamental rights. How can you prevent those countries from using research results to oppress or violate human rights? We recommend setting up an ethics committee within your institution to advise on the ethical use of research results.
- Knowledge institutions have a duty of care towards employees and students with regard to their social safety. In the case of students and researchers from non-free countries, this safety can be seriously jeopardised by the actions of the country of origin.
- Measures concerning knowledge security must not lead to arbitrary exclusion, suspicion or discrimination.
That depends on how the security policy is organised within your organisation. Often, institutions have a security department for any questions you may have. Does your institution have a Knowledge Security Advisory Team? Then you can also contact the information security expert. That might be the Chief Information Security Officer (CISO) or the ICT director. Many institutions are members of SURF and have Coordinating SURF Contacts. Often, the CIOs are the SURF Coordinating Contact Persons (CCS) and the ICT director fulfils that role. Many institutions are also affiliated with a (SURF) CERT (Computer Emergency Response Team). You can report incidents or ask questions to that team.
Would you like more information about what you can do yourself, how you can protect yourself online, or how your institution can contribute to its own cyber-resilience? Then contact one of the persons mentioned above. Or consult various publications, such as 'Cyberattacks by state actors' by the AIVD and MIVD. This publication deals with the seven moments at which you can stop a cyber attack by a country or state. You can also read the Guide to Cyber Security Measures - Step by Step to a Digitally Secure Organisation. It contains basic measures that must be in order for a minimum level of digital security to be achieved.
The greatest threat comes from states/countries and criminals. Coordinated cyber attacks involving states are persistent and sometimes go unnoticed for long periods of time. States and countries also use cyber attacks to spread disinformation. Bear in mind that digital risks from companies or services (e.g. cloud services) with which your institution works can also affect your organisation.
In the Cyber Security Assessment Netherlands 2021, the NCTV describes four risks to national security:
- Unauthorised access to information (and possibly its publication), in particular as a result of espionage or data leaks.
- Inaccessible processes as a result of (preparations for) sabotage or the use of ransomware.
- Violation of the (security of the) digital space, for example by misuse of global ICT supply chains.
- Large-scale failure: a situation in which one or more processes are disrupted by natural or technical causes, or by non-intentional human action.
In recent years, the EU has paid increasing attention to knowledge security and related issues. The European Commission issued several proposals on international cooperation in education, research and innovation and protecting academic values:
- Proposal for a European Agenda for Universities
- Proposal for a Global Approach to Research and Innovation
- EU toolkit on tackling foreign interference in research and innovation
European export rules on dual-use products and technology are important when entering into international cooperation. This concerns goods, software and technology for civilian use that may have military applications or may contribute to the production or proliferation of weapons of mass destruction. Examples are nuclear weapons, chemical warfare agents, biological weapons or delivery systems for such weapons. Based on the EU dual-use regulation, strict rules apply (link) for the export and transit of products and technology. A license is required for export to countries outside the EU and in some cases for transfer within Europe.
If there is a threat to international peace and security, the EU can impose sanctions on countries, organisations, companies and individuals. Think of the EU sanctions against Iran, which prohibits the transfer of certain technology and knowledge to Iran. With this, the EU wants to prevent the development of, among others, the ballistic missile programme. The same applies to the provision of technical assistance for these goods and technology for use in Iran (link to EU sanctions regime).
The export of technological knowledge for civil and military applications is often subject to licensing. You can find more information on the website of the Dutch government: Export control of strategic goods.
Human resources policy
The recruitment and selection of new employees is an extremely important time for assessing safety risks. HR staff should therefore be safety-conscious and pick up on any signs of increased risk.
Is your institution or unit going to cooperate with a foreign knowledge institution or a foreign company? First of all, investigate who exactly you are doing business with. Then make clear agreements that prevent risks concerning knowledge security, academic core values and unethical use of research results. This way, you always have something to fall back on in the event of undesirable developments during the collaboration period. You can call your cooperation partner to account and possibly end the cooperation earlier (exit strategy) if risks persist.
It is important for institutions to comply with the internationally recognised ISO27007:2013 certification for information security.
SURF has developed a Standards and Assessment Framework specifically for our sector to help education and research institutions better guarantee information security and privacy. Safeguarding is also done by carrying out regular audits.
Before you leave
- Make sure you have a minimum amount of (confidential) data with you.
- Consider in advance what is on the data carriers you are taking with you. Does your laptop contain files with sensitive information that you do not need during your trip? Transfer these files to another computer before your departure, or take another (travel) laptop with you.
- The same applies to your mobile phone. Delete the call history on your phone before you leave home or take another (travel) phone with you when you travel.
- Use passwords and/or access codes for your devices and disable them if possible. You are extra vulnerable when they are on.
When on the move
- Always switch off the bluetooth function on your phone and laptop.
- Always carry confidential information and data carriers in your hand baggage and not in your suitcase (e.g. USB sticks and phones).
- Be careful when making confidential calls on board an aeroplane, train or other public area. Some (airline) companies, for example, have close links with intelligence and security services. Also think about your fellow passengers.
At the destination
- Protect confidential information. Do not leave confidential information behind in a place where others can view it. This also applies to your hotel room or hotel safe.
- Do not give away your laptop or telephone. Ensure that you can always check whether someone has seen your information.
- Provide information selectively. When making contact, stick to the need-to-know principle: don't tell your conversational partner more than is necessary. This also applies to conferences or meetings to which you have been invited as a speaker.
- Be careful with obtained (free) USBs at congresses or events. This is an easy way to install malware on your laptop.
Knowledge security is about preventing the undesired transfer of sensitive knowledge and technology. Transfer is undesirable if it affects the national security of our country. In addition, knowledge security is about countering the clandestine influence of states/countries on education and research. Such interference jeopardises academic freedom and social safety. It also concerns ethical issues that may arise in cooperation with countries that do not respect fundamental rights.
There are laws and regulations to deal with threats and with which your institution must comply (compliance). For example, within the EU there are strict rules for the export of dual-use products and technology that have military applications as well as being civilian. Not sure whether the export rules apply? Then make a classification request with the Central Office for Import and Export (CDIU).
There are also international sanctions regimes in force against countries, organisations and individuals. The current overview can be found at www.sanctionsmap.eu. For knowledge institutions, the sanctions against North Korea and Iran are particularly applicable. These form the basis for the enhanced supervision that applies to a limited number of disciplines.
To further increase the scope for action of knowledge institutions and governments, the government is preparing an assessment framework for persons seeking access to knowledge areas with a high risk to national security. The government aims to have this framework in place in the course of 2023. In addition, the government has presented a bill on foreign investments, mergers, and takeovers. This law focuses on vital providers and on organisations that possess sensitive technology.
National Contact Point for Knowledge Security
The Dutch government has set up an expertise and advice national contact point to support knowledge institutions in the decisions they have to make in the area of knowledge security and international cooperation.
The National Contact Point for Knowledge Security provides information and advice to knowledge institutions involved in international cooperation. The institution can use this advice to weigh up the opportunities and risks. The National Contact Point for Knowledge Security is connected to all relevant sections of the national government and sector organisations. In this way, the National Contact Point for Knowledge Security is a single point of access for all questions about knowledge security.
The Office for Knowledge Security is for knowledge institutions with questions about international cooperation related to knowledge security. The desk is intended for everyone who is involved with international cooperation within knowledge institutions, from administrators to individual researchers or lecturers.
The Office for Knowledge Security is a government-wide initiative. RVO takes care of the front office. The back office coordinates with representatives of the various ministries involved.
Memorandum of Understanding (MoU)
You usually conclude a partnership via a Memorandum of Understanding (MoU). MoUs are declarations of intent that are not legally binding. We therefore advise you not to use legal language. There are numerous formats for MoUs. These offer a certain basic protection against the most common legal and financial risks. However, they do not offer sufficient protection when it comes to collaborating on sensitive knowledge with a partner from a high-risk country. In such cases, it is a matter of customisation and we recommend that you seek legal and security expertise. In some cases, the conclusion is that cooperation is not possible.
Is your institution, or part of your institution, going to cooperate with a foreign research institute or a foreign company? First thoroughly research with whom you will be working. Then make clear agreements to prevent risks concerning knowledge security, academic core values and unethical use of research results. In this way, you will always have something to fall back on during the collaboration period if undesirable developments occur. You can then call your cooperation partner to account or terminate the cooperation earlier (exit strategy) if these risks persist. The National Contact Point for Knowledge Security can give you tailored advice.
When entering into a collaboration, such as when entering into an MoU or contract, include a paragraph with information on the use of the results. This should include agreements on the publication of the results and whether there are strict intellectual property requirements or confidentiality for end users and specifications. You can include therein that the cooperation can be terminated if one of the parties does not comply with these agreements.
Pay specific attention:
- Ethical dilemmas: These come into play if you cooperate with countries that do not respect fundamental rights. How do you prevent these countries from using research results for oppression or violation of human rights? We recommend setting up an ethics committee within your institution to advise on the ethical use of research results.
- Open science: The aim is to make publicly funded research results accessible to everyone. However, there are legitimate reasons to refrain from publication, such as protecting national security. Make good agreements in advance to prevent tension between the desire for maximum openness and the taking of legitimate protective measures.
To assess a country's risk profile, use public threat information such as the Statutory Actors Threat Assessment produced by the NCTV, AIVD and MIVD. You can also consult international rankings. Poor scores in rankings on academic freedom and respect for the rule of law should set alarm bells ringing. However, a bad score does not necessarily mean that you should rule out cooperation with institutions from that country. It does mean, however, that you should take proper precautions in that case. The National Contact Point for Knowledge Security can give you tailored advice.
Sensitive areas of expertise
It is important to carefully map out sensitive knowledge areas within your organisation. Think about dual-use technologies and knowledge that can be used unethically. Also map out your "crown jewels"; the areas in which your institution is a global leader. Carry out a brief risk analysis for each sensitive knowledge area.
Find out for yourself where within your institution this unique, sensitive knowledge is to be found, what threats there are and what measures you can take against them. Bear in mind that technological developments can make a technology more or less sensitive in the course of time. We therefore recommend working with a dynamic list of sensitive knowledge areas that you review from time to time. The AIVD account manager can assist you in performing risk analyses within your organisation.
The Netherlands runs the risk that transferred knowledge may later be used for purposes that directly affect our national security, for example in the form of military resources. Or that this knowledge will be used for purposes that go against our fundamental values, such as (mass) surveillance tools.
In addition, states/countries also try to influence opinions and publications and censor scientific research and research results, for example through financial dependence. Some states/countries also keep an eye on their compatriots. This is to prevent them from expressing unwelcome opinions on their home country during lectures or conferences, for example.
The pressure of these activities can lead to self-censorship, where individuals and groups do not always dare to express themselves openly in a critical manner. Or to situations where academics are prevented from publishing research results that are unpleasant for a certain country. This threatens fundamental rights such as freedom of expression and core values such as academic freedom and scientific integrity.
An AIVD account manager can help you carry out risk analyses at your institution. Would you like to know more about the risk profile of specific countries? If so, contact the National Contact Point for Knowledge Security. The desk has close links with all the relevant government departments and services, including the country experts at the Ministry of Foreign Affairs.
Tools and frameworks
There are various codes of conduct about knowledge security. These are non-binding but do give direction. For example, there is the National Guideline for Knowledge Security, the knowledge security framework of the UNL and the EU guidelines on tackling foreign interference of the European Commission. Various countries have meanwhile developed comparable codes of conduct. These codes make it easier to discuss knowledge security with foreign partners.
We advise you to draw up a visitor protocol to limit the risks during visits to sensitive locations. Conversely, a business trip to countries with an increased risk profile - for example because you are participating in a conference - requires the necessary preparation and alertness. The National Contact Point for Knowledge Security can provide you with tailored advice.