The Network and Information Systems Security Act (Cybersecurity Act) Focuses on Business Continuity Management (Part 2)

The Network and Information Systems Security Act (Wbni), commonly known as the Cybersecurity Act, aims to enhance digital security in the Netherlands. This Cybersecurity Act is based on the European Union's Network and Information Security Directive (NIS Directive), which encourages member states to improve their digital resilience and collaborate more effectively. In this two-part series, we focus on this new legislation. In our previous blog, we discussed who this legislation applies to and what mandatory measures are required. Part two of our series delves deeper into the reporting obligations under the Cybersecurity Act.


What, When, and to Whom Should You Report?

Yes, the legislation introduces new reporting obligations. In addition to the various existing reporting requirements (such as data breaches), Essential Service Providers (AEDs) and Digital Service Providers (DSPs) must report incidents (or near misses) with significant consequences to different regulatory authorities. In the case of severe ICT incidents, a "double reporting obligation" even exists.

Setting Up a Strict Process for AEDs

AEDs are required to report ICT breaches with significant consequences for continuity to the National Cyber Security Centre (NCSC) of the Ministry of Justice and Security and to the sectoral regulator (e.g., the Radiocommunications Agency).

ICT breaches that could have had significant consequences, or the "near misses," must be reported only to the NCSC and not to the sectoral regulator. This accumulation of reporting obligations means that you need to establish a strict process to:

Determine the nature of the incident or near miss. Decide which regulatory authorities should be notified. Specify the time frame and conditions for reporting. Failure to meet the reporting requirement may result in a visit from the sectoral regulator.

Greater Complexity for DSPs

DSPs face even greater complexity. If a DSP experiences an incident that affects the service provider's continuity, they must report it to the regulatory authority, Agentschap Telecom, and the Computer Security Incident Response Team (CSIRT) for DSPs. However, regulators are not allowed to actively inspect DSPs until an incident occurs. This reactive oversight means that comprehensive investigations are conducted after an incident into the measures and procedures that the DSP has taken (duty of care). If no or insufficient measures have been taken, severe sanctions may be imposed.

In summary, organizations that believe compliance with ISO 27001/2 or other standards is sufficient for the Cybersecurity Act will face significant surprises. Therefore, carefully assess whether you are an AED or DSP, evaluate your current security level against the new requirements, and establish a process for reporting to different regulators.

Most importantly, practice with near misses, incidents, and crisis situations! Similar to our previous blog, we conclude that the adage "practice, practice, practice" is essential. So, whether you are an AED or DSP, start training for these reporting obligations today. There are many potential pitfalls, including miscommunication, unclear roles and responsibilities, lack of decisiveness, and autonomous action. But above all, do it not because you have to but because you have a responsibility to society, and many citizens and businesses rely on your services!

Related Insights