Go to content

Statutory task

Since 9 November 2018, the Security of Network and Information Systems Act (Wet beveiliging netwerk- en informatiesystemen, Wbni) has been in effect. The Wbni stipulates the statutory tasks of the NCSC in the field of cybersecurity. The Wbni aims to improve the digital resilience of the Netherlands, mitigate the consequences of cyber incidents and in doing so prevent social disruption.

CSIRT

In case of a threat or an incident in the network and information systems of vital providers, government bodies or DSPs, there are computer crisis teams who provide assistance. The Wbni refers to these teams as CSIRTs: Computer Security Incident Response Teams.

Pursuant to the Wbni, the CSIRT for AEDs and digital service providers is the National Cyber Security Centre (NCSC). NCSC’s tasks include:

  • responding to incidents that are reported voluntarily or under a notification obligation;
  • monitoring incidents at a national level, providing early warning to providers, and disseminating information about risks and incidents;
  • participating in the international network of CSIRTs.
  • maintaining contacts focused on cooperation with the private sector.

Digital service providers

Digital service providers (DSP’s) are providers of cloud services, online search engines or online marketplaces. Many private individuals and companies use these digital services, or are dependent on them. The networks and information systems that are necessary to provide these digital services need to be reliable and secure. Unsure whether you are a digital service provider? The definitions of a digital service provider are as follows:

Duty to report and the duty of care

Based on the Wbni: vital providers, AEDS’s and DSP’s have an obligation to report severe incidents to the NSCS. AED’s also report to their sectoral regulator.  

Furthermore, the law contains a duty of care for AEDs and DSPs. They have to take measures to minimize the chances and risks of digital incidents. The Dutch law 'Data Protection and Cybersecurity Reporting Obligation (Wgmc)' is included in the Wbni.

Submit a Wbni report 

Reports have to be filed as soon as possible. Always report an incident via the NCSC alarm number. This line can be reached 24/7. Afterwards directly send an encrypted email to cert@ncsc.nl with the subject duty to report. For more information on the Wbni report, please view submit a Wbni report

National point of contact

To mitigate the consequences of serious cyber incidents across national borders as well, the NCSC has been designated as the national point of contact for EU Member States on behalf of the Netherlands. In other words, when the NCSC receives a notification that is also relevant to other countries, this operational information is shared with the point of contact in other Member States.

Other tasks

  • In addition, the NCSC has tasks pursuant to the Wbni, which include:
  • supporting vital providers and government bodies in implementing measures to ensure the continuity of their services;
  • providing information and advice about threats and incidents relating to the network and information systems of vital providers and the national government;
  • performing analyses and conducting technical investigation for this purpose in response to threats and incidents or indications thereof.
  • It is possible to submit a voluntary report of an incident for an organization that does not qualify as a vital provider, digital service provider of government body.
  • Sharing information with organizations that are required to inform other organizations or the public about threats and incidents, as well as with computer security incident response teams (CSIRTs).