Secure emailing in the Netherlands: Zivver, Purview or something else?

Why secure emailing is no longer a luxury

The AVG has clear requirements for how you handle sensitive data. A misdirected email is already a data breach. The Personal Data Authority makes no distinction between SME or large organization.

Secure mail is required if you are working with:

• Personal data of customers or employees
• Financial Information
• Medical or healthcare data
• Legal documents
• Competition-sensitive business information

Yet we see many organizations relying on default email settings or tools where it is not clear who really has control.

 

Commonly used solutions in the Netherlands

 

The Dutch market has a wide range of solutions. Each tool has strengths and weaknesses. The choice depends on risk, sector and governance requirements.

 

Zivver

 

Zivver is user-friendly and popular in healthcare and government. Adoption among users is high.

Concern: some of the ownership is foreign. This raises questions of oversight and jurisdiction under international law.

 

Microsoft Purview

 

Purview dovetails well with Microsoft 365. Think DLP, classification and integration with existing workflows.

Attention: Microsoft is subject to U.S. law. That means the CLOUD Act may apply even if data resides in Europe.

 

Smartlockr

 

Smartlockr is entirely Dutch and focuses heavily on encryption and key management.

Strong point: data and keys remain within Dutch jurisdiction. That makes this interesting for organizations with strict compliance requirements.

 

Cryptshare

Cryptshare is a German solution where recipients do not need an account.

Strong point: simplicity and good security. Less suitable if you need extensive governance and logging.

 

FileCap

FileCap focuses on secure file sending with Outlook integration.

Strong point: practical to use. Less broadly applicable for full email security.

 

Registered Mailing

This solution focuses on legal provability. You can prove that a message was sent and received.

Strength: suitable for legal and formal communication.

 

ZorgMail and VECOZO

Specifically for healthcare professionals and healthcare chains.

Strength: aligned with NEN7510 and healthcare processes. Less suitable outside of healthcare.

 

ProtonMail and Tutanota

Privacy-first email services with strong encryption.

Concern: less focused on business governance, integrations and compliance reporting.

 

The questions you should always ask

The tool is never the starting point. The questions are.

• Where are the encryption keys stored?
• Who has technical or legal access to those keys?
• Does the vendor fall under U.S. laws such as the CLOUD Act?
• Is the usage auditable according to ISO27001 or NEN7510?
• Can you show who sent, opened or modified what?

Without clear answers, you are at risk, even if the solution seems safe.

 

Secure emailing is governance, not a feature

A common mistake is that secure mail is seen as an IT institution. In reality, it is part of your information security policy.

Meaning:

• Clear classification of information
• Agreements on who can send what
• Logging and audit trails
• Employee awareness
• Periodic monitoring and evaluation

Without these arrangements, secure mail remains dependent on human behavior. And that is exactly where it often goes wrong.

 

The ALTA-ICT look at secure emailing

 

We don’t look at individual tools, but at the whole. Technology, compliance and workability have to add up.

Our approach:

 

• Analysis of data flows and risks
• Review against AVG, ISO27001 and where necessary NEN7510
• Advice on Dutch and European suppliers
• Setting policy, not just software
• Guidance on adoption and awareness

That way, you not only know that e-mail is encrypted, but you can explain it to an auditor or regulator.

 

In conclusion

 

The question is not which tool is best known. The question is whether you can demonstrate that sensitive information really does remain secure, today and five years from now.

How have you set up secure emailing? And who within the organization is really responsible for that?