Majority of Municipal Websites Fail Security Standards, Posing Risks for Dutch Citizens

Approximately 75% of municipal websites fail to meet the required security standards, as per data from the Digital Insights Platform. Municipalities collectively oversee more than ten thousand websites.

While the main websites of the 342 Dutch municipalities are generally well-maintained, the same cannot be said for the increasing number of secondary websites, as reported by Interior Administration. These additional websites are often created for specific events like the Tour de France or for budget announcements, leading to a situation where outdated websites are left unattended.

Only 28% of the 10,000 municipal websites adhere to the necessary security standards set for government sites by Forum Standaardisatie. These standards include secure email communication through a protected mail server and using HTTPS for secure connections, which help in preventing phishing and spoofing attempts.

"The state of these numerous municipal websites ranges from 'poor' to 'acceptable,'" state Simon Besters and Michiel Duijsings, the founders of the Digital Insights Platform. One of the contributing factors to this issue is the lack of clear oversight by municipalities on the websites they are responsible for managing. With more civil servants taking on website creation tasks in recent years, the ownership of domain names managed by municipalities has become ambiguous. Additionally, the absence of designated personnel to monitor these websites adds to the problem.

Another challenge is the rise in collaborative efforts among municipalities, such as partnerships with tax organizations and social services. While websites are created for these collaborations, the delineation of responsibility for meeting security standards becomes blurred over time. Furthermore, there is a shortage of web professionals in the Netherlands, particularly within municipalities.

In June 2023, Forum Standaardisatie warned that at the current rate, the government will not achieve full compliance with all agreements until 2030. By then, only 40% of domains belonging to central government entities, municipalities, water boards, provinces, and related institutions met all the required safety measures.