Decoding the world of cybersecurity

Dutch public bodies get threat-sharing mandate

The Dutch NCSC says STIX and TAXII 2.1 are now mandatory for government bodies, putting machine-readable threat intelligence into public-sector procurement and operations.

Dutch public bodies get threat-sharing mandate
Summary
  • STIX and TAXII 2.1 were added to the Dutch “comply or explain” list from 1 July 2026.
  • Municipalities, provinces, central government, water boards, and executive agencies must apply the standards.
  • The move pushes structured, real-time threat intelligence sharing into public-sector operations and procurement.

The Dutch National Cyber Security Centre says STIX and TAXII version 2.1 are now mandatory for government use, strengthening the role of machine-readable threat intelligence in public-sector cyber resilience.

From 1 July 2026, the standards have been added to the Netherlands’ “Pas toe of leg uit” list, the Dutch “comply or explain” mechanism for public-sector open standards. The requirement applies to municipalities, provinces, central government, water boards, and executive organisations. Other public-sector organisations are strongly advised to adopt the standards.

STIX and TAXII are used to describe and exchange cyber threat information in a structured, machine-readable way. STIX provides the language for representing indicators, attack patterns, malware, vulnerabilities, threat actors, and relationships between them. TAXII provides the transport mechanism for sharing that information between systems.

The NCSC says the standards make it possible to describe and share information about cyber threats and attacks in real time, allowing government organisations to take security measures faster and more effectively. Its notice says version 2.1 replaces earlier 1.* versions, which are now outdated and supported only to a limited extent by vendors.

The change is practical rather than symbolic. Public authorities increasingly depend on security operations centres, managed providers, threat intelligence feeds, vulnerability platforms, SIEM tools, endpoint systems, and sector information-sharing arrangements. When those systems do not use the same language, threat information can arrive slowly, lose context, or remain trapped in manual processes.

By placing STIX/TAXII 2.1 on a mandatory standards list, the Netherlands is pushing interoperability into procurement. Public buyers will be expected to request the standards when they buy or renew relevant security services, unless they can explain why they are not applicable. That can shape how suppliers build integrations, how threat intelligence services are specified, and how public bodies evaluate claims about automation and response speed.

The updated functional scope also reflects how threat intelligence is used in practice. The NCSC says the concept of “exchange” has been changed to “providing and/or obtaining,” because threat intelligence sharing does not always require reciprocal communication. A public body may only consume information from a supplier or national source, yet still need the same standardised format to ingest it effectively.

The policy sits within a broader European move towards operational cyber resilience. NIS2 has increased expectations around risk management, incident reporting, vulnerability handling, and cooperation across essential and important entities. In that environment, information sharing cannot rely only on PDF alerts, emails, and manual enrichment. Structured formats are becoming part of national cyber defence infrastructure.

The requirement also creates a discipline for suppliers. Claims about threat intelligence, detection, exposure management, and automated response are easier to test when buyers can ask whether a product supports current, open, machine-readable standards. Proprietary formats will still exist, but public-sector security functions need a baseline that allows information to move across tools and organisations without unnecessary friction.

The Dutch mandate turns a resilience ambition into a standard that government buyers, security providers, and public-sector operators can build around. Its value will be measured through procurement documents, supplier support, SOC integration, and the speed with which public bodies can act on trusted threat information.

×