More opportunities for NCSC and DTC to share threat and incident information

The National Cyber Security Centre (NCSC) and Digital Trust Center (DTC) are working together to help make the Netherlands digitally secure. The NCSC provides critical providers and central government organisations with threat and incident information relevant for their network and information systems and advises them on potential measures. The DTC offers the non-critical business community (a target group consisting of 1.8 million companies) information and advice on cyber security and encourages collaboration between companies. Currently, the NSCC and DTC sometimes lack a legal basis for the provision of threat and incident information to organisations.

Because of this, organisations are unaware that their systems are vulnerable, despite the NCSC or DTC having the information they need. With this in mind, legislative proposals submitted by Minister Grapperhaus (Ministry of Justice and Security) and State Secretary Keijzer (Ministry of Economic Affairs and Climate) with a view to creating a basis for the provision of more information will go into internet consultation today.

Legislative proposal to amend the Wbni

The Security of Network and Information Systems Act (Wet beveiliging netwerk- en informatieystemen (Wbni)) regulates the statutory duties of the NCSC in respect of cyber security. The NCSC's primary remit is to inform and advise critical providers and central government organisations on digital threats and incidents. Because of this, the NCSC is regularly also in possession of information of this nature that could be relevant for other organisations. For example, food distributors, political parties and container handling companies. However, it is currently not always possible to provide this information to these other providers or their intermediary organisations.
Given this situation, Minister Grapperhaus (Justice and Security) is proposing the amendment of the Wbni. This would give the NCSC the basis it needs to share threat and incident information more broadly, with so-called OKTTs (organisations that objectively have the task to provide other organisations or the public with threat information) that act as intermediary organisations for other providers. These intermediary organisations can then pass on this information and advice to the organisations in their respective networks. This legislative proposal will also create a basis for the NCSC to share threat or incident information with other providers itself in special cases. This would apply if there were no intermediary organisation (like an OKTT or computer crisis team) that could give a provider the information in question and if the threat or incident in question has (or could have) significant consequences for the continuity of the provider's services.

Legislative proposal to promote the digital resilience of companies

Besides the proposed amendment of the Wbni, the legislative proposal to promote the digital resilience of companies, which was submitted by State Secretary Keijzer (Ministry of Economic Affairs), will go into consultation as of today too. This legislative proposal specifies the duties and powers of the Ministry of Economic Affairs in respect of the digital resilience of businesses in the Netherlands in a new Act and in the Wbni.
One of the duties above is to inform and advise the non-critical business community on vulnerabilities, threats and incidents. A second duty is to encourage the development of partnerships between companies on the subject of digital resilience. In practice, the DTC will carry out both of these duties. This legislative proposal will create the basis for it to share specific confidential information about cyber threats with individual companies in the Netherlands too.