Incident notification obligation
The Cyberbeveiligingswet (the national implementation law of the NIS2 Directive) is not into effect yet, therefore the Wbni (Wet Beveiliging Netwerk en Informatiesystemen or Security of Network and Information Systems Act) still applies. Vital providers and providers of essential services have a reporting obligation at the NCSC when serious incidents occur. From October 17 on, other organizations can voluntarily report an NIS2-incident via this form.
WBNI
The Security of Network and Information Systems Act (the Dutch act containing rules on the implementation of Directive (EU) 2016/1148; Wet beveiliging netwerk- en informatiesystemen, Wbni) lays down an obligation to notify NCSC-NL of any serious cyber security incidents that could cause social disruption. This incident notification obligation applies if you have been designated by your ministry as a vital operator with a duty to report, i.e. a provider of essential services or other designated critical infrastructure provider. Providers of essential services also report at their sectoral supervisor. Digital service providers must report the incident to the CSIRT-DSP of the Ministry of Economic Affairs and Climate Policy.
Report
Reports must be sent as soon as possible and in any case within 24 hours after the detection of the incident.
Immediately after making the report, send an encrypted email to cert@ncsc.nl with subject: ‘Wbni’. You can also use the NCSC-NL Wbni report form.
Find more information about when, why and how to submit a Wbni report about a cyber security incident to us, in this factsheet.