Standing orders of the Security and Stability Committee

Annex to the Statement of Principles and Best Practices for the Supervisory Board of SIDN

Article 1 Duties of the Security and Stability Committee

1.1 Notwithstanding the provisions of Article 5.1 of the Statement of Principles and Best Practices for the Supervisory Board, the Security and Stability Committee shall advise the Supervisory Board regarding all matters pertaining to the duties set out in Article 1.2, and make preparations for decision-making by the Supervisory Board regarding relevant matters.

1.2 The Security and Stability Committee's duties shall involve generally supporting the Supervisory Board in the discharge of its supervisory responsibilities pertaining to the integrity, confidentiality and stability of the services of the Foundation and the associated group companies, in the sense of Article 2:24b of the Dutch Civil Code (referred to below collectively as 'SIDN'), and to the effectiveness of the control systems that SIDN uses to ensure compliance with applicable laws, regulations and codes of conduct. The Security and Stability Committee shall report its findings to the Supervisory Board.

1.3 More specifically, the Security and Stability Committee shall oversee matters pertaining to significant business risks involving security and stability, in particular the findings of the annual IT audit that forms part of the financial audit by the external auditor, the findings of the annual ISO 27001 audit, and the findings of other external audits, such as that conducted by the Dutch Authority for Digital Infrastructure, other test results, recommendations and observations made by such external parties, the ICT Roadmap and the Security Roadmap.

1.4 The Security and Stability Committee shall report its findings to, and shall discuss its findings with, the Supervisory Board.

1.5 In connection with the external security and stability audit, and in preparation for definitive decision-making by the Supervisory Board, the Security and Stability Committee shall:

a) assess the scope and methodology proposed by the external ISO auditor for each year's annual security and stability audit;

b) consider and, where appropriate, approve changes to SIDN's policy regarding the independence of the external ISO auditor;

c) hold discussions with the external ISO auditor regarding the latter's annual audit report, and advise the Supervisory Board accordingly;

1.6 The Security and Stability Committee shall hold annual discussions with the Executive Board regarding SIDN's security and stability policy, as well as regarding the main areas of risk and the risk assessment and control methods employed by SIDN.

1.7 The Security and Stability Committee shall perform an annual assessment of the effectiveness and outcomes of the procedures used by the Executive Board for investigation and follow-up. The Security and Stability Committee shall receive regular updates from the Executive Board, the IT Director and the Security Officer.

1.8 In preparation for decision-making by the Supervisory Board, the Security and Stability Committee shall provide the Supervisory Board will all the information and documentation that the Supervisory Board may reasonably require to perform the supervisory duties referred to in this Article, and all information and documentation requested by the Supervisory Board.

1.9 The Supervisory Board delegates to the Security and Stability Committee only those powers required to perform the duties ascribed to the Security and Stability Committee by these Standing Orders or by law, and to perform other duties ascribed to the Security and Stability Committee by the Supervisory Board.

Article 2 External ISO auditor

2.1 The Executive Board shall involve the Security and Stability Committee in selection of the external ISO auditor.

2.2 The external auditor shall confirm their independence in any report they prepare.

Article 3 Composition, expertise and independence of the Security and Stability Committee

3.1 The Security and Stability Committee shall have at least two members.

3.2 Notwithstanding the provisions of Article 3.3 of the Statement of Principles and Best Practices for the Supervisory Board, the composition of the Security and Stability Committee shall satisfy the following requirements:

i) at least one member shall have demonstrable knowledge of information security;

ii) at least one member shall have demonstrable knowledge of ICT;

iii) at least one member shall have demonstrable legal knowledge, preferably in the field of corporate governance, ICT law, privacy and cybersecurity law and telecoms law;

iv) the Chair of the Supervisory Board shall not (simultaneously) also act as Chair of the Security and Stability Committee.

Article 4 Chair

The Security and Stability Committee shall appoint one of its members to act as Chair, in compliance with Article 3 of these Standing Orders. The Chair shall bear primary responsibility for the performance of the Security and Stability Committee. The Chair shall act as the Security and Stability Committee's spokesperson, and as the principal point of contact for the Supervisory Board.

Article 5 Security and Stability Committee meetings (agenda, participation and minutes)

5.1 The Security and Stability Committee shall meet at least twice a year. If there is reason, one or more additional meetings may be arranged at the request of the Chair of the Security and Stability Committee and/or the Executive Board. Meetings shall ordinarily be held at the Foundation's offices, but may be held elsewhere or by electronic means.

5.2 The Security and Stability Committee shall determine whether and, if so, when members of the Foundation's Executive Board, the external auditor or the Data Protection Officer may attend its meetings. The Security Officer and the ICT Director shall ordinarily attend meetings of the Security and Stability Committee, unless the Security and Stability Committee determines otherwise.

5.3 Security and Stability Committee meetings shall be convened by the Chair of the Security and Stability Committee. Insofar as practicable, a notice of and an agenda for each Security and Stability Committee meeting shall be issued to members at least seven days before the meeting in question.

5.4 Security and Stability Committee meetings shall be minuted. The minutes of a meeting shall ordinarily be adopted at the next meeting. However, if all Security and Stability Committee members agree that the minutes of a meeting are a true record of proceedings, the minutes may be adopted sooner. As evidence of their adoption, the minutes of a Security and Stability Committee meeting shall be signed by the Chair of the Security and Stability Committee. As soon as possible thereafter, copies shall be sent to all Security and Stability Committee members and all Supervisory Board members.

Article 6 Applicability of the Statement of Principles and Best Practices for the Supervisory Board

The provisions of the Statement of Principles and Best Practices for the Supervisory Board shall apply equally to (members of) the Security and Stability Committee. If the provisions of the Statement of Principles and Best Practices for the Supervisory Board are found to conflict with the provisions of these Standing Orders, these Standing Orders shall prevail, unless Dutch law or the Constitution of the Foundation requires otherwise, in which case the latter shall prevail.