Report an incident
While the Cyberbeveiligingswet (the Dutch implementation of the European NIS2-directive) has not yet been implemented, the Wbni still is in effect. Organisations in the vital sectors, digital service providers and organizations in the central government are obliged to report serious digital security incidents to the NCSC. Furthermore, on this page you can read more about the report obligation under the Wbni. From the 17th of October on organisations can submit a voluntary report for a NIS2 incident via the following form.
Wbni report
Based on the Wbni: vital sectors, digital service providers and providers of essential services have a duty to report severe incidents to the NCSC. Providers of essential services also report to their sectoral regulator.
Reports have to be made as soon as possible. Send the report directly (if needed encrypted) to cert@ncsc.nl with the subject duty to report. You can also use the form Wbni report.
An incident is defined as any event that has a damaging effect on the confidentiality, integrity, availability or authenticity of network and information systems.
Not every incident meets the criteria for a mandatory report. You have to decide whether the incident has significant consequences for your service, since only such incidents are mandatory. An incident is said to have ‘significant consequences’ if:
- In the EU, the service is unavailable for more than 5,000,000 service hours;
- The incident has negative consequences for more than 100,000 users in terms of integrity, confidentiality or authenticity;
- One or more users of the service have suffered damages exceeding 1,000,000 EUR;
- There is a risk to public safety or the potential loss of life
In this factsheet you will find more information about when, why, and how to submit an NCSC Wbni report for digital security incidents.
Voluntary report
It’s always possible to submit a voluntary report to the NCSC. We speak of a voluntary report when there is no legal duty to report.
Regardless of a voluntary or mandatory report, the NCSC may be able to provide assistance or advice. A voluntary report does not require you to report to the supervising agency, the Dutch Authority for Digital Infrastructure. You decide which information you wish to share with the NCSC.
The NCSC maintains a national overview of cyber security threats. Voluntary reports contribute to this overview and support the NCSC to share a topical threat overview to ensure that organizations are prepared for current threats.