Bill aimed at expanding information remit regarding cyber threats submitted to the House

The National Cyber Security Centre (NCSC) is working hard to continuously increase the cyber security of the Netherlands. The NCSC informs and advises critical providers and components of central government, providing up-to-date threat and incident information about their network and information systems. At present, the NCSC does not yet always have a basis in law, pursuant to which it can provide organisations other than critical organisations and central government with threat and incident information. As a result, these other organisations will not be aware that their systems are vulnerable, despite the NCSC having relevant information in this regard. That is why a Bill proposed by the Minister of Justice and Security, Ms Yeşilgöz-Zegerius, will be submitted to the House of Representatives today, which provides a statutory basis for the NCSC to share this type of information with other organisations in more cases.

Minister Yeşilgöz-Zegerius:

‘Today, we are taking a crucial next step towards strengthening the cyber security of the Netherlands. It is critical that we do so, as a large number of organisations currently do not have access to crucial information that would allow them to protect themselves against cyber attacks effectively and at an early stage. We are increasingly living our lives online and criminals are well aware of that. In addition, the current global state of affairs makes this Bill more relevant than ever. We must strengthen our digital resilience. The information sharing remit of the NCSC plays a crucial role in that endeavour.’

Network and Information Systems Security Act to be amended

The Bill contains an amendment to the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni), which regulates a number of issues, including the statutory remit of the NCSC in the area of cyber security. The primary remit of the NCSC is to provide critical providers and organisations within central government with information, as well as advise them, regarding cyber threats and incidents and to conduct relevant analyses and technical assessments. As a result, the NCSC also frequently possesses information regarding cyber threats or incidents that is relevant to other providers, such as food distribution companies, political parties or transhipment companies. However, that information cannot always be shared with those providers or their intermediary organisations due to the absence of a relevant basis in law.

This is why Minister Yeşilgöz-Zegerius has proposed that the Wbni should be amended to allow for the sharing of that information, giving the NCSC the statutory basis to share threat and incident information more widely with organisations with an objectively ascertainable responsibility to inform other organisations or the public about threats and incidents, the so-called OKTTs (‘organsaties die objectief kenbaar tot taak hebben’), which act as intermediary organisations for other providers. These intermediary organisations can then provide organisations in their respective networks with that information and advice. The Bill also provides for a legal basis for the NCSC to share threat or incident information with other providers itself directly in exceptional cases, for example, in cases where there is no intermediary organisation (such as an OKTT) to share the information with the provider and the information relates to a threat or incident with significant consequences for the continuity of the services provided by the provider.