In recent years, we’ve seen that new laws and regulations are placing increasingly specific requirements on ICT service providers. Consider, for example, the GDPR (which outlines tasks and responsibilities for the “processor”), the Cybersecurity Act (which mandates supply chain security and directly applies to “business-to-business ICT service providers”), and the AI Regulation (which imposes specific obligations and responsibilities on the “provider”). It’s no surprise, then, that this trend is also reflected in more and more guidelines and codes of conduct, including the Notarial Information Security Code of Conduct (hereinafter: “KNB Code of Conduct”). Given that the Royal Dutch Notarial Association (KNB) had 3.497 members at the beginning of 2025, there’s a good chance that, as an ICT service provider, you count at least one affiliated notary among your clients. This blog outlines what the Code of Conduct means for you as an ICT service provider.
The Code of Conduct was issued by the Royal Dutch Notarial Association (KNB) to help notaries take responsibility for information security. Taking on this responsibility means that notaries must critically assess their IT security management, the technical security measures in place, the requirements they impose on their ICT service providers, the agreements made with those providers, and that they must periodically evaluate their ICT service providers.
The Code of Conduct is relevant for all ICT service providers who, through their products and/or services, have (or may have) access to the information systems of a notary affiliated with the KNB.
As a result of the Code of Conduct, notaries will impose specific requirements on ICT service providers. These requirements may include, depending on the nature of the products and services provided: data protection during transmission (e.g. via email, networks, or internet connections), access rights, security incidents, backups, restore capabilities, malware, patching, updates, monitoring, logging, and the use of OTAP environments.
In addition, notaries will require that contracts include concrete agreements on information security. These agreements will cover the aforementioned requirements, as well as confidentiality obligations, the reporting of security incidents (note: distinct from data breaches), and the extension of security obligations to subcontractors.
Finally, notaries will want to conduct a risk analysis—both during the implementation of the Code of Conduct and periodically thereafter—on the products and services provided by the ICT service provider.
Familiarize yourself with the requirements of the Code of Conduct and assess whether your products and services comply. If you document this in writing, it can also serve as input for the notary’s risk analysis. Additionally, prepare an addendum to your (standard) contracts that outlines the relevant security requirements.
You may be wondering: why should I go through all this trouble if I’m not a notary myself? Well, among other reasons:
If you need help navigating this “trouble,” our firm is here for you. We have extensive legal expertise in cybersecurity from both the ICT service provider’s and the notary’s perspective, and we are happy to support you.
For questions, please contact Michelle Wijnant, Attorney at law in IT, Privacy & Cybersecurity.
Would you like to receive a monthly overview of updates and blog posts in your inbox? Click here to subscribe to the newsletter!