Since 9 November 2018, the Security of Network and Information Systems Act (Wet beveiliging netwerk- en informatiesystemen, Wbni) has been in effect. The Wbni stipulates the statutory tasks of the NCSC in the field of cybersecurity. Organisations in vital sectors and central government are obliged to report serious digital security incidents to the NCSC. Providers of essential services (aanbieders van essentiële diensten, AED) and digital service providers (DSP) must comply with the law. The Wbni aims to improve the digital resilience of the Netherlands, mitigate the consequences of cyber incidents and in doing so prevent social disruption.
In case of a threat or an incident in the network and information systems of vital providers, government bodies or DSPs, there are computer crisis teams who provide assistance. The Wbni refers to these teams as CSIRTs: Computer Security Incident Response Teams.
Pursuant to the Wbni, the CSIRT for AEDs is the National Cyber Security Centre (NCSC). The tasks of the NCSC include:
- responding to incidents that are reported voluntarily or under a notification obligation;
- monitoring incidents at a national level, providing early warning to providers, and disseminating information about risks and incidents;
- participating in the international network of CSIRTs.
- maintaining contacts focused on cooperation with the private sector.
Notification obligation and duty of care
Pursuant to the Wbni, vital providers and AEDs have an obligation to notify the NCSC in case of serious incidents. AEDs also notify their sector supervisory body. Digital service providers notify the CSIRT for DSPs. The Act also includes a duty of care for AEDs and DSPs. They should take measures to reduce the likelihood and consequences of digital incidents. The Dutch Data Processing and Cybersecurity Notification Obligation Act (Wet gegevensverwerking en meldplicht cybersecurity, WGMC) is included in the Wbni.
National point of contact
To mitigate the consequences of serious cyber incidents across national borders as well, the NCSC has been designated as the national point of contact for EU Member States on behalf of the Netherlands. In other words, when the NCSC receives a notification that is also relevant to other countries, this operational information is shared with the point of contact in other Member States.
In addition, the NCSC has tasks pursuant to the Wbni, which include:
- supporting vital providers and government bodies in implementing measures to ensure the continuity of their services;
- providing information and advice about threats and incidents relating to the network and information systems of vital providers and the national government;
- performing analyses and conducting technical investigation for this purpose in response to threats and incidents or indications thereof.