Cybersecurity Act submitted to House of Representatives

In the course of 2018, providers of essential services – such as drinking water companies, banks and managers of gas mains and power grids – will be required to comply with security requirements. They must take adequate measures against outside breaches of their network and information security. If a cybersecurity incident does occur, these providers must be technologically and organisationally equipped to counter the digital threat quickly and mitigate damages to the maximum possible extent.

These are among the points set out in the proposed Cybersecurity Act (Cybersecuritywet, Csw) submitted to the House of Representatives today by Minister Grapperhaus (Justice and Security). The aim is to make the Netherlands more cybersecure. The Cybersecurity Act stems from the EU Directive on Security of Network and Information Systems (NIS Directive), which encourages Member States to boost their digital resilience and cooperate more effectively with one another.

From now on, serious cybersecurity incidents must also be reported to the supervisory body. According to the current Dutch Data Processing and Cybersecurity Notification Obligation Act (Wet gegevensverwerking en meldplicht cybersecurity, Wgmc), providers of certain services are only required to report such incidents to the National Cyber Security Centre (NCSC), which acts as a Cyber Security Incident Response Team (CSIRT) for the Netherlands. A CSIRT issues warnings about risks and provides support and assistance with cybersecurity incidents.

The supervisory body (e.g. De Nederlandsche Bank for the banking sector) monitors compliance with the security requirements and the notification obligation and imposes sanctions such as an administrative fine when necessary. The new Csw will also apply to providers of online marketplaces, cloud computer services and online search engines. It is not yet known which agency will act as the CSIRT for these providers. The provisions in the current Wgmc are included in the new Cybersecurity Act. The Wgmc will be revoked.