More ways for the NCSC to share information on threats and incidents

The National Cyber Security Centre (NCSC) is constantly working to improve digital safety in the Netherlands. When the NCSC has intelligence on threats and incidents affecting organisations’ systems, it wants to be able to provide those organisations with information and advice. For instance, the NCSC would want to recommend that an organisation take certain precautions. Until today, the NCSC was only permitted to share such information with central government organisations or other organisations designated as being of critical importance. There wasn’t always a legal basis for the NCSC to share information on threats and incidents with other organisations. Those organisations therefore weren’t aware of vulnerabilities in their systems, even though the NCSC had intelligence on those issues. That has changed as of today, with the Network and Information Systems Security Act (Wbni) coming into force. The Act provides precisely that legal basis for sharing information with more organisations.

'The NCSC has waited a long time for this day to come, and I’m glad it’s finally happened', said Hans de Vries, Director of the NCSC. 'As of today, we can share information about vulnerabilities or anticipated ransomware attacks not just with central government organisations and those designated as being of critical importance, but with all other organisations too. It means we can improve digital security for all those other organisations, and for the Netherlands as a whole.'

The Wbni stipulates the statutory tasks of the NCSC in the field of cyber security. The NCSC is mainly tasked with informing and advising central government organisations and critical service providers on digital threats and incidents. Because of this, the NCSC also regularly holds intelligence on digital threats or incidents that could be relevant to other organisations. Those other organisations could include food distributors, political parties or container transshipment companies. As of 1 December, this intelligence can also be shared with those other product/service providers or their intermediaries. For example, the NCSC might be aware that a particular organisation is using software known to be vulnerable to misuse by criminals, or it might have intelligence on a planned ransomware attack.

Organisations with an objectively ascertainable responsibility to inform other organisations or the public about threats, vulnerabilities and incidents (known as OKTT organisations), which act as intermediaries to other product/service providers, can now offer information and advice on these matters to the organisations in their networks. There is now also a legal basis for the NCSC, in exceptional cases, to share information on threats or incidents to other product/service providers itself. An exceptional case would be one in which there is no intermediary organisation (such as an OKTT or computer crisis team) available to share the information with the product/service provider, and the information pertains to a threat or incident with potentially serious consequences for that provider’s business continuity.