Disruptions in critical infrastructures could have devastating impact. Financial loss and social disruption are just two examples of a long list of potential consequences of cyber-attacks. Public and private organizations strive to be resilient. The rise in legislation and regulation in regard of cyber security on a European Union level is indirectly used as a tool to achieve a certain goal, in this case cyber resilience.

Resilience can best be assessed by looking into the cyber security efforts and capabilities in preparation, prediction, detection, response and recovery. Telecom operators in the Netherlands in general address resilience and certain alignment in the efforts is noticeable between the different organizations. However, the prediction part of resilience is often immature. The history and the security culture within organizations plays part in the telecoms resilience. Telecom organizations have shown that there are cases in which they have already made efforts to be resilient before legislation and regulation demands them to. They then only have to modify their efforts so that it fits the exact demands.

In a final conclusion it can be said that there are several measures within telecom sector to be resilient, but these are often not a result of legislation and regulation. Stronger drivers for these organizations are related to their business objectives like client satisfaction and business continuity. Telecom organizations often already comply to legislation and regulation before it is officially implemented, because the demand for these measures was there long before legislation and regulation was enforced.

Legislation and regulation are however not experienced as useless. Even though they do not directly contribute, there is a need for a certain base level of resilience and security, which is defined by legislation and regulation.