The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 1)

Many questions and uncertainties surround this upcoming Network and Information Systems Security Act, but one thing is certain: the law is coming into effect and will apply soon. On the day the law becomes operational, companies must demonstrate compliance with its requirements. There are several reasons why your organization should start considering this new Cybersecurity Act.

Is It Relevant to Our Organization?

First, you need to determine whether your organization falls under one of the definitions for which the new law applies. This determines if your organization falls under the scope of organizations targeted by the Cybersecurity Act. If you fall under the law, you must assess whether your current continuity and security measures meet the requirements. As if that's not enough, there's a dual reporting obligation that is strictly supervised by the government.

Am I an AED or DSP?

The law distinguishes between "Essential Service Providers" (AEDs) and "Digital Service Providers" (DSPs). If your organization operates in the energy, transportation, banking, financial market infrastructure, healthcare, drinking water, or digital infrastructure sectors, you could be designated as an AED by the government. This may include entities like the administrator of .nl domain names or major internet exchange points in the Netherlands.

Companies that offer online marketplaces, online search engines, and/or cloud computing services (IaaS, PaaS, SaaS) could be considered DSPs. DSPs are not designated by the government and must assess whether they fall within these definitions themselves. This creates a risk that your organization might unintentionally be classified as a DSP and hasn't taken sufficient measures, potentially leading to enforcement by a regulatory authority.

To avoid this, you should assess whether your organization is a DSP in three steps:

Determine if your company provides one of the above-mentioned services. Assess whether your company is headquartered in the Netherlands or has a representation. Finally, check whether your company has more than 50 employees or has an annual turnover or balance sheet total exceeding €10 million. If you meet these criteria, you are considered a DSP under the law.

What About My Security?

Both AEDs and DSPs have a duty of care for the security of their network and information systems.

The Cybersecurity Act formulates this requirement in quite general terms. According to the law, AEDs and DSPs must take "appropriate and proportionate technical and organizational measures" to adequately secure their IT systems against external breaches. This requirement is also found in the General Data Protection Regulation (GDPR), which stipulates that organizations must implement "technical and organizational measures" to protect personal data. However, being GDPR-compliant does not automatically mean that you also comply with the Cybersecurity Act. The GDPR only pertains to personal data, while the Cybersecurity Act covers a broader range of issues. Under the Cybersecurity Act, you need to implement additional appropriate measures to prevent incidents such as network outages, ensuring that, in case of an incident, its consequences are minimized.

Compared to the GDPR, the Cybersecurity Act focuses on protecting the continuity of networks and information systems. This makes it essential to pay attention to Business Continuity Management (BCM). This means translating the continuity requirements into practice, in addition to complying with information security standards such as ISO 27001/2, ISO 22301, and national government standards (BIR/BIG/BIWA). Effective BCM requires a clear process and specific agreements. According to Monica de Wit, a leading expert in BCM, practice is key. In her blog "Cyber Crisis Management: A Joint Responsibility," she explains why: "Practice is an investment that always pays off," Monica says. So, start training your crisis management teams, practice your data breach protocol, and conduct crisis exercises today.

In our next blog, we will outline the new reporting obligations.