New legislation on the duty to report and possibilities for intervening in the event of digital security incidents
New legislation is to be drawn up before the end of 2012 which will oblige organisations to report any digital security incident or security breach they have to contend with. This duty to report is going to apply to organisations within six vital sectors in the Netherlands. It will apply to security breaches which can substantially disturb the continuity of one's own provision of services or that of others, and which result in (potential) social disruption. In such cases it is important that the government acquires more and more possibilities to intervene on a cross-sectoral basis to facilitate quick efficient action. The Dutch Council of Ministers has decided to draw up new legislation as proposed by Minister Opstelten of Security and Justice.
The sectors in question are electricity, gas, drinking water, telecommunications, stemming and managing surface water and transport (Rotterdam and Schiphol mainports). The duty to report will also apply to the financial sector and the government itself. With regard to all these sectors the impact of any disruption to services is considerable. Any breakdown in these sectors quickly causes a cascade effect to other sectors, resulting in a real risk of large-scale social disruption.
The implementation of the duty to report will link up as much as possible with existing national legislation and regulations and European initiatives. The emphasis will be on providing assistance to prevent social disruption. The National Cyber Security Centre (NCSC) will offer the affected organisation or sector assistance and advice to repair the breach and contain its effects, which may also occur elsewhere. In the event that the crisis structure is scaled up, the NCSC can take responsibility for operational responses within the crisis structure. The publication of security recommendations can limit the impact on third parties.
In order to act quickly and prevent any social disruption, the government is looking to engage in public-private partnerships. The government also has to be able to intervene whenever there is a threat of social disruption. For that reason the government is being offered more and more possibilities to intervene on a cross-sectoral basis. This also means having the authority to obtain information, to enforce an administrative order and to appoint an official on the government's behalf.
By introducing the new legislation the Dutch government is adopting the Hennis-Plasschaert resolution, which asks for a duty to report security breaches to apply to organisations involved in information systems which are vitally important to society.