Report an incident form

While the Cyberbeveiligingswet (the Dutch implementation of the European NIS2-directive) has not yet been implemented, the Wbni still is in effect. Organisations in the vital sectors, digital service providers and organizations in the central government are obliged to report serious digital security incidents to the NCSC. Furthermore, on this page you can read more about the report obligation under the Wbni. From the 17th of October on organisations can submit a voluntary report for a NIS2 incident

Your organisation’s details

Company name(required)

Chamber of Commerce number(required)

Enter the number under which the organisation is registered in the Chamber of Commerce’s commercial register.

Street(required)

Enter the name of the street where the organisation’s headquarters is located.

House number(required)

Enter the house number of the organisation’s headquarters.

Town/City(required)

Enter the town/city of the organisation’s headquarters.

Zip code(required)

Enter the postcode of the organisation’s headquarters.

Sector(required)

Select your organisation’s primary sector

Does the organisation also fall under another sector?(required)

Yes No

My organisation is...(required)

An essential entity An important entity Neither of the above/Unknown

Under the Critical Entity Resilience Act (Wet Weerbaarheid Kritieke Entiteiten), an organisation can be designated as a critical entity. The organisation is then considered an essential entity under the NIS2 Directive. If that is the case, select ‘essential entity’. More information about critical entities can be found in Directive (EU) 2022/2557. Essential and important entities are defined in the NIS2-directive. The Dutch Authority for Digital Infrastructure (RDI) self-assessment tool and National Cyber Security Centre (NCSC) flowchart can provide an indication of whether an organisation may be important or essential.

Notifier

Given name(required)

Surname(required)

Email address(required)

Telephone number(required)

Job title(required)

Availability(required)

The days and times when the notifier is available by phone.

Is the notifier also the contact person regarding the incident?(required)

Yes No

If the notifier is not the contact person regarding the incident, the contact person’s details are also required.

General information

Is this notification voluntary? Does it concern a significant incident?(required)

Voluntary notification Significant incident

An incident is considered significant if: the incident has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

What type of notification is this?(required)

Early warning Notification, update and initial assessment Intermediate report Progress report or final report

The NIS2-directive contains a phased notification obligation. Early warning (phase 1): This is the initial notification, which must be submitted within 24 hours. For domain registration services and entities that fall under the ‘electricity network code’ implementation order, these notifications must be submitted within four hours. Notification, update and initial assessment (phase 2): This notification is an update on the early warning, it must be submitted within 72 hours after the incident is identified and it is an initial assessment of the incident, containing the following information: - The severity and consequences of the incident - If available: damage indicators Progress report or final report: A progress report contains relevant updates of the situation and can be requested by the CSIRT or the competent authority. A final report of the incident must be submitted within a month of the update and initial assessment. If the incident is still ongoing, this notification must be submitted no later than one month after the handling of the incident. The report must include the following: - A detailed description of the incident, including its severity and impact; - The type of threat or root cause that is likely to have triggered the incident; - Applied and ongoing mitigation measures; - Where applicable, the cross-border impact of the incident

What is the status of the incident?

Cause unclear, under investigation Cause known, unresolved Cause known, resolved

The status of the incident gives an indication of the phase the incident is in.

Does the incident have a cross-border impact that also affects other EU countries?(required)

For significant incidents with a cross-border impact, the national CSIRT informs other EU member states.

Incident details

Date on which the incident was discovered(required)

Time at which the incident was discovered(required)

The time (in the GMT +1 time zone) at which the incident was discovered.

Type of incident(required)

Description of the incident(required)

Give a description of the incident that is as detailed as possible based on the information currently available. Provide as much context as possible. Indicators of compromise may also be included in this field.

Visible and expected impact of the incident

Describe the visible and expected impact of the incident. This could include: whether critical processes have been affected and if so, which ones; the incident’s impact on the organisation and the potential or expected impact on customers; whether there is a visible or expected impact that has national security implications or entails a risk of loss of human life or disruption of public order.

What is the cause of the incident and what measures have been taken to prevent a repeat of the incident in the future?

Where possible, provide information about the cause of the incident, such as human error, a software vulnerability, etc. In addition, state what measures have been taken to prevent a repeat incident. It is possible to attach reports at the end of this form.

Have customers been informed / will they be informed?

Yes, they have been informed Yes, they will be informed No, they will not be informed

What is the estimated recovery time?

If available, give the expected recovery time in days and hours.

What is the organisation itself doing and is help needed?

Is help from the CSIRT needed? If so, please also contact your sectoral CSIRT by phone. State here what help is needed, and what the organisation itself is already doing, including engaging a third party to provide support.

Attachments

This is where to upload any reports, such as investigation results, information about the cause of the incident, or an overview of the measures taken to prevent a repeat incident.

Has the incident been reported to the police?

Yes No

It is advised to always report an incident to the police if it was caused intentionally.

Any additional comments

Any additional information that has not been included elsewhere on the form can be provided here.

Information about the processing of your personal data

We use your data to handle the incident notification that you submitted. The information will be shared only with the National Cyber Security Centre (NCSC) and, where applicable, the relevant CSIRT.

Show additional information about the processing of your personal data

Why is this data required?

We use your data – with your permission – because we need it to process your incident notification.

How does your data get processed?

We use your data to process your incident notification. Depending on the data you provide, it will be used by the CSIRT to contact you.

How long do we keep your data?

Your data will be saved for a limited period of time, in accordance with the Public Records Act. Your data will not be saved on the website.

What are your rights?

You can find more information about your rights on page 'Privacy' (link opens in new tab).

Statement of agreement(required)

I have read and understood how my personal data will be processed.

Report an incident form

Share this page