nl/en
AI - Blog Technology & Data ⸱ 09-03-2026

Cyber risks in the housing association sector: why the Cybersecurity Act (NIS2) now belongs on the board agenda.

In February 2025, personal data of housing applicants and tenants suddenly appeared on a public website. A year earlier, a ransomware attack on supplier AddComm exposed another risk: the vulnerability of the digital supply chain. Housing associations were forced to inform tenants that their data may have been compromised.

These incidents demonstrate that cyber risks are no longer confined to the organisation itself. Instead, they often emerge within the supply chain—among suppliers and digital partners.

This is precisely where boards typically have the least visibility, yet where incidents have immediate impact on the organisation: affecting tenant trust, organisational reputation, and regulatory scrutiny.

The reality is therefore straightforward: it is not a question of if an incident will occur, but when. The real question for boards is whether their organisation is operationally and strategically prepared.

In this blog by Reny Stark and Alexander van Lunteren, you will learn why cyber risks in the housing association sector increasingly originate outside the organisation, what the introduction of the Cybersecurity Act (NIS2) means for boards, and which practical steps housing associations can already take to strengthen their digital resilience and supply chain governance—before an incident occurs.

 

Expertise
Technology & Data

Reny

Stark

Alexander

van Lunteren

From security to demonstrable resilience

The European NIS2 Directive is being transposed into Dutch law through the Cybersecurity Act. The objective is clear: to better protect networks and information systems against digital disruption and cyber attacks.

The legislation focuses on essential and important entities and places emphasis on three key areas:

  • board-level accountability
  • risk management
  • supply chain security

In practical terms, this means the bar is shifting from simply “having measures in place” to “being able to demonstrate that they are effective”—even under pressure.

For housing associations, this means cybersecurity is no longer purely a technical issue. It is about governance. Who makes decisions? Who reports an incident? Who communicates with tenants, regulators and partners? And what agreements are in place with suppliers when something goes wrong?

“Does the Cybersecurity Act apply to my housing association?”

The Cybersecurity Act applies to organisations designated by government as essential or important to the functioning of society, such as those operating in sectors like energy, transport, digital infrastructure, healthcare and certain digital services.

For housing associations, the situation is more nuanced. The sector is not currently explicitly designated under NIS2. This means that most housing associations are unlikely to fall directly within scope. However, this does not mean the legislation is irrelevant.

Digital resilience is increasingly an explicit area of focus for financiers, regulators and partners. They expect organisations to demonstrate control over their digital risks and their supplier dependencies.

This is particularly relevant for housing associations, as many core processes rely on third-party systems—such as:

  • tenant portals
  • communications platforms
  • cloud storage
  • data processing services

When an incident occurs within these systems, the impact ultimately falls on the housing association—affecting its services and its tenants.

As a result, boards will increasingly need to explain:

  • which digital processes are critical
  • which suppliers are involved
  • what security arrangements are in place
  • how incidents are reported and managed

In addition, preparedness takes time. Establishing governance structures, incident processes and supply chain agreements often requires months.

For boards, the practical reality is this:
it is not only about whether the law formally applies, but whether the organisation can demonstrate that its digital risks and supply chain dependencies are under control.

Three common pitfalls in practice

a) Supply chain dependency

The ransomware attack on AddComm highlighted how vulnerable digital supply chains can be. A third-party provider is compromised, and housing associations must warn tenants of potential data breaches and phishing risks.

For housing associations, supplier management must go beyond procurement and service-level agreements. It also includes:

  • security requirements
  • audit and reporting arrangements
  • incident procedures
  • service continuity

The key question is simple: what happens if a supplier fails, and how quickly can you recover?

b) Incident reporting: the 24-hour reality

Once an incident is identified, an initial notification must be submitted within 24 hours to the national Computer Security Incident Response Team and the relevant authority. In practice, this is more complex than it sounds.

Incidents often begin as something seemingly minor—such as a system issue, unusual behaviour in a tenant portal, or a process that suddenly stops working. At that stage, the facts are usually incomplete. Critical information about cause, timeline and impact often sits with the supplier or even their subcontractors.

This creates a dependency: organisations may need to report and communicate while still waiting for technical analysis and logs.

This is precisely why it is risky to be fully dependent on a supplier for facts and impact analysis during the first 24 to 72 hours. If personal data is involved, GDPR obligations also apply. Organisations must not only report, but also explain what happened, what data was affected, and what actions are being taken.

c) Governance: “no one was responsible” is no longer acceptable
Digital resilience requires clear leadership decisions. How much risk is acceptable? Who takes decisions during an incident? And how are decisions made under pressure regarding communication, recovery and reporting?Without clear agreements, organisations quickly fall into a familiar trap: everyone is involved, but no one is accountable.This is why cyber resilience starts with governance. In practice, this means:

  • one board member or executive with ultimate accountability for digital resilience
  • a crisis team with predefined roles (board, IT, legal, communications)
  • a decision-making protocol for the first 24 hours of an incident

The objective is not to script every scenario, but to ensure that, when an incident occurs, it is immediately clear who leads, what information is required, and which decisions must be taken and when.

Cyber resilience is therefore not an IT project. It is a board-level responsibility that must be organised just as rigorously as financial or operational risk management.

What housing associations should do

a) Create a single overview of critical processes and suppliers

Not all systems are equally important. Start by identifying 10–15 processes that directly affect tenants, such as:

  • tenant portals
  • repair requests
  • payment processes
  • communications with housing applicants

For each process, link the key suppliers and IT services.

The goal: a single overview (ideally one page) clearly showing:

  • which processes could fail
  • which suppliers are involved
  • what data may be affected
  • who to contact first
  • which decisions may require board involvement

b) Formalise and test incident arrangements

The 24-hour reporting requirement makes clear agreements with suppliers essential.

At a minimum, define:

  • when and how you are informed of incidents
  • who conducts forensic investigations and who bears the cost
  • what logging and reporting is available
  • what continuity arrangements apply

In the critical early days of an incident, it must be clear who does what.

c) Run a scenario exercise with the internal crisis team

A short table-top exercise often provides more insight than extensive policy documentation.

Choose a realistic scenario, for example:

  • a supplier breach with potential leakage of tenant data
  • a tenant portal outage disrupting services

Discuss key questions explicitly:

  • who decides
  • who communicates
  • who reports
  • what must be done within the first 24 hours

For organisations seeking deeper insight, a realistic cyber simulation can be highly effective. This allows boards and management to experience an incident in real time: what information is available, who takes the lead, and what reporting obligations apply?

Practical next step

Many housing associations recognise that digital risks increasingly require board-level attention, but are still looking for a practical way to organise governance.

This is where we can provide targeted support.

  1. In-house cyber simulation or crisis training
    We deliver realistic cyber simulations for boards, management teams and crisis teams. Participants experience how an incident unfolds in practice, what information is—and is not—available, and which decisions must be taken under time pressure. This quickly highlights where governance, communication and decision-making require strengthening.
  2. Incident response plan for housing associations
    We have also developed a practical incident response plan tailored specifically to housing associations. It helps organisations define roles and responsibilities, outline required actions during an incident, and structure reporting and communication processes.

For organisations aiming to structurally strengthen their digital resilience, we also support the full compliance journey—covering governance, supply chain arrangements, incident processes and preparation for the Cybersecurity Act.

Would you like to receive the incident response plan for housing associations or explore what a cyber simulation could mean for your organisation?

Please feel free to contact Reny Stark, Partner Technology & Data, at:
r.stark@lexence.com

Roadmap

Would you like to gain a comprehensive overview and determine which digital obligations should truly be prioritised within your organisation?

Download the Digital Compliance Roadmap 2026 below and discover where to focus your strategic efforts today.

Download the roadmap

For questions about this topic, Please contact:

Recent deal ⸱ 15-06-2026
Lexence acted as legal advisor to the shareholders of VB Risk Advisory B.V. in the sale of VB Risk Advisory B.V. to 4Most
Podcast Amsterdam Trading Culture- From the Golden Age to Now ⸱ 15-06-2026
From Rembrandt to courtroom: business and litigation through the ages
Blogs Amsterdam Trading Culture ⸱ 15-06-2026
From the Jordan riot to modern employment law – Lessons from the past
Podcast Amsterdam Trading Culture- From the Golden Age to Now ⸱ 15-06-2026
From the Jordan riot to modern labour law
Podcast Amsterdam Trading Culture- From the Golden Age to Now ⸱ 15-06-2026
From Rembrandt to courtroom: business and litigation through the ages
Podcast Amsterdam Trading Culture- From the Golden Age to Now ⸱ 15-06-2026
From bricks to investment: property development in historical and legal perspective
Podcast Amsterdam Trading Culture- From the Golden Age to Now ⸱ 15-06-2026
From bricks to investment: property development in historical and legal perspective
Blog ⸱ 15-06-2026
Ending Employment: Dutch Dismissal Procedures Simplified
Whitepaper ⸱ 15-06-2026
An overview of Dutch employment law | For foreign businesses and expats
Blogs Amsterdam Trading Culture ⸱ 15-06-2026
Amsterdam on the move: building beyond borders
⸱ 15-06-2026
oude Real Estate in Practice: Insights from Candidate Civil-Law Notary Wirasha Autar
Recent deal ⸱ 15-06-2026
Lexence assisted Hartman Holding B.V. in the sale of shares in Hartman Beheer B.V.
⸱ 08-06-2026
Grid congestion in existing buildings: in whose name is the connection registered?
Recent deal ⸱ 04-06-2026
Lexence has advised Hearing Investment B.V. on the sale of IntoEars Holding B.V. to Oorwerk B.V.
AI - Blogs Amsterdam Trading Culture ⸱ 28-05-2026
From digital city to AI: who is in control?
Alle berichten