Cybersecurity measures in more sectors will improve digital security in the Netherlands and the EU

The introduction of better cybersecurity measures for network and information systems and a reporting obligation for serious cyber incidents should significantly improve digital security in the EU. From mid-2024, key players in the food industry (industrial food producers and distributors such as large supermarket chains), as well as entities in the chemical industry, manufacturing, waste processing, postal and delivery services and data centres, will be required to take appropriate cybersecurity measures. Today, the EU member states and the European Parliament reached a provisional political agreement on a revised version of the EU’s current Network and Information Security (NIS) Directive: NIS2. The Netherlands has been working towards appropriate European legislation in this area for years.

Minister Yeşilgöz-Zegerius of Justice and Security explains that national borders do not provide a barrier against cyber incidents:

‘We are increasingly reliant on digital processes, particularly since more people are working from home following the coronavirus pandemic. We are also seeing a growing threat from criminals as well as state actors, which will not recede any time soon now that war is raging just across the EU’s eastern borders. That is why we now need to take the next step towards raising the level of cybersecurity in the EU, to prevent that cyber incidents disrupt our society.’

Minister Micky Adriaansens of Economic Affairs and Climate Policy:

‘We should remain alert to the risks of cyberattacks, which can have huge consequences, such as empty shelves in shops or production stoppages at industrial plants. It is the responsibility of businesses and consumers to take cybersecurity precautions. That having been said, this legislation will enable us to take a step forward in raising the level of cybersecurity among medium-sized and large entities in key sectors.’

Improving cybersecurity in supply chains and handling of incidents

Under the current Network and Information Security Directive, the Dutch government has already identified providers of essential services (such as banks, drinking water suppliers and energy suppliers) and digital service providers that must adopt cybersecurity measures and report serious cyber incidents. This is also supervised. The National Cyber Security Centre (NCSC), part of the Ministry of Justice and Security, offers support and advice to the providers of essential services, while the Computer Security Incident Response Team (CSIRT-DSP), part of the Ministry of Economic Affairs and Climate Policy, offers this to the relevant digital service providers.

The number of sectors covered by this legislation will be significantly increased from mid-2024. Under the new NIS2 Directive, service providers will be classified into two categories: essential service providers and important service providers. The essential service providers, mainly consisting of entities operating in key sectors in the Netherlands, will be proactively supervised. The important service providers will be subject to a reactive supervisory regime, whereby supervision is triggered by indications of an incident. The latter are mostly medium-sized and large entities where a potential disruption of services would not have serious societal or economic consequences. In addition to the reporting obligation, all service providers in scope of the NIS2 Directive will be required to take security measures as part of their duty of care. This concerns, among other things, taking steps to increase the security of their supply chain and to ensure proper handling of cyber incidents.

Following the adoption of the provisional agreement by the European Parliament, the new NIS2 Directive is expected to be published this autumn, after which it can be transposed into national legislation from mid-2024.