Cyber security 

NS is continuously improving the security of its IT systems and operating systems. Its reasons for doing so include the growth in cybercrime and the situation in Eastern Europe, which involves both physical and digital threats. In the first instance, we try to resist these threats. In the second instance, we try to recover quickly if we are still affected by cyber attacks despite these precautions. We call this 'cyber resilience' and aim to improve in this area year on year. 

To this end, we carried out company-wide risk analyses of our processes and assets. We use incidents in order to learn from them so that we can prevent them from happening again in future. We also developed an approach for implementing several new laws in the new NS Cybersecurity Control Framework. We took further technological measures in 2024 based on our Cybersecurity Roadmap, including on the trains. We invested in cybersecurity awareness by running phishing simulations and awareness campaigns. A new team has been set up to identify cyber risks in the chain of suppliers, with the first batch of these now having been assessed. A major milestone was the design and implementation of a new cybersecurity organisational model. This enables us to take more appropriate action, as well as ensuring that the different cybersecurity departments within the organisation reinforce each other. 

Complying with the Wbni, NIS2, CER and AI Act 

NS is a ‘provider of essential services’, as defined in the Network and Information Systems (Security) Act (Wbni). Partly based on the cybersecurity management system (CSMS), NS is now fulfilling the duty of care and notification required under the Wbni. We expanded this CSMS in 2024 in order to comply with the NIS2 directive, the successor to the Wbni, in 2025. Last year, we launched a cybersecurity Governance, Risk and Compliance programme for this purpose. The programme also incorporates another new EU directive, the CER (Critical Entities Resilience directive). Alongside this, we are taking the first steps to also safeguard AI governance within cyber security. 

ISO27001 certification 

NS once again received ISO27001 cyber certification for the service processes surrounding the NS Business Card in 2024. We took further steps towards SOC2 (Service Organisation Control type 2) compliance in 2024. We are seeing more and more customers who use services such as the NS Business Card impose this cyber certification and assurance as a hard requirement for us to provide the service.

Sector-wide information sharing 

NS is participating in national and international initiatives to strengthen cyber security in the railway sector and in vital infrastructure more generally. Among other things, we actively contributed to the Dutch and European Rail ISAC (Information Sharing and Analysis Centre) in 2024. We also organised a cybersecurity emergency drill together with ProRail.