Security Operations Center - Dutch Tax and Customs Administration

In accordance with RFC 2350 you will find more information about the Security Operations Center - Dutch Tax and Customs Administration (BD-SOC), its channels of communication, and its roles and responsibilities.

Version 1.0 – 31 January 2024

General information about the BD-SOC can be found at


Visiting address

Laan van Westenenk 490-492
7334 DS Apeldoorn
The Netherlands

Postal Address

Postbus 9050
7300 GM Apeldoorn
The Netherlands

Email address

In any case use BD-SOC email address:
Information about reaching out to the BD-SOC can also be found at Meld datalek, beveiligingslek, zwakke plek of misbruik computersystemen.

Our regular response hours (local time) are everyday of the week from 08:00 – 17:00h. In addition to regular opening hours, the BD-SOC also has a standby construction, which achieves 24/7 accessibility. The standby is automatically activated for high priority incidents. Outside office hours, the BD-SOC can also be reached on the aforementioned email address for high-priority security incidents (Priority 1 (PRIO 1)). Within the standby, it is ensured that sufficient representation of the various disciplines is present in the BD-SOC.

Time Zone

UTC+0100 in winter and UTC+0200 in summer (DST). Daylight savings time is according to EC rules, central European time.

Public keys and encryption information

The BD-SOC uses PGP for encryption and signing. The PGP key can be found on the PGP‑keyserver.

Team members

A full list of the BD-SOC team members is not publicly available. Team members will identify themselves to the reporting party with their full name in an official communication regarding an incident.

Other information

General information about the BD-SOC can be found at


Mission Statement

The mission of the BD-SOC is as follows:
Contribute to increasing the cyber resilience of the Dutch Tax, Benefits and Customs Administration and adjacent services through high-quality prevention, detection and response.


BD-SOC's constituency consists of all citizens and businesses in the Kingdom of the Netherlands. Also, the constituency includes all government organizations. All can report security incidents related to the infrastructure, applications of the Dutch Tax and Customs Administration to the BD-SOC. These can be vulnerabilities, but also threats and phishing reports.

Sponsorship and/or Affiliation

The IT department of the Dutch Tax and Customs Administration will fund the work of the BD-SOC and will fund the technical provisions needed in order to gain and maintain maximum reachability


The authority of the BD-SOC is restricted to advising and assisting its constituents by monitoring and coordinating the response to cyber-related incidents.


Types of Incidents and Level of Support

The SOC-BD handles various types of security incidents. The level of support is best effort and depends on the type of the incident and the severity as determined by the SOC-BD team members.

Co-operation, Interaction and Disclosure of Information

All incoming information is handled confidentially by the BD-SC team members, regardless of its priority. Information that is evidently very sensitive in nature is only communicated and stored in a secure environment, if necessary using encryption technologies. The BD-SOC will use the information you provide to help solve security incidents. Information will only be distributed further to other teams and members on a need-to-know base, and preferably in an anonymized fashion. The BD-SOC understands the Traffic Light Protocol (TLP) for sharing sensitive information.

Communication and Authentication

The preferred method of communication is via e-mail. When the content is sensitive enough or
requires authentication, the BD-SOC PGP key is used for signing e-mail messages. All sensitive
communication to the BD-SOC should be encrypted with the team’s PGP key. The current PGP key can be found on the PGP key servers or on Please use the PGP key belonging to the email address


Incident Response

Incident response is available 7x24 for PRIO1 security incidents. For non PRIO1 security incident, incident response is available during business hours.

Incident Triage

  • Assessing whether indeed an incident occurred.
  • Determining the extent of the incident.

Incident Coordination

  • Determining the initial cause of the incident (vulnerability exploited).
  • Facilitating contact with other sites which may be involved.
  • Facilitating contacts with the affected constituent and/or appropriate law enforcement officials, if necessary.
  • Making reports to other CSIRTs.
  • Composing announcements to users, if applicable.

Proactive Activities

The BD-SOC only grants capacity pro-active activities for its internal constituency. Only exceptionally is capacity released for pro-active activities for the rest of the constituency. This may be, for example, when there is a social interest.

Incident Reporting Forms

There are no special forms required to report an incident.


While every precaution will be taken in the preparation of information, notifications and alerts, the BD-SOC assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.

Changes to this webpage are not distributed by a mailing list. Please address any specific questions or remarks to the BD-SOC email address:

Javascript staat uit in deze internetbrowser. U moet Javascript activeren om onze internetsite te zien.