How can we assist you?

    Blog

    A label of vital importance

    Dutch Government identifies first official providers of vital products and services

    It is the first time the Dutch government has defined which providers of so-called vital products and services it considers of vital importance to Dutch society at large. On 4 December 2017, the Dutch government issued a decree (the "Decree") that obligates all companies, that have been identified as providers of vital products and services, to report severe ICT incidents to the National Cyber Security Centre.  The Dutch government derived its authority to issue the Decree from the Data Processing and Reporting Obligation Act (WGMC), which came into effect on 1 January of 2018.

    Against the backdrop of the revival of economic protectionism and the renewed tendency to control foreign share ownership of companies that are of vital importance to Dutch society at large, the mere designation as a provider of vital products and services under the WGMC could have far reaching consequences. Interestingly, fibreglass company Eurofiber was the first company to issue a press release stating that it felt very proud to have received the 'vital' designation.

    Although the WGMC focusses on all vital industries, the label "provider of vital products or services" may be of particular interest to software and tech companies given the recent proposed legislative changes in the Telecom and IT sector.

    Data Processing and Reporting Obligation Act

    The WGMC regulates the data traffic to the Minister of Security and Justice, in order to prevent or limit the failure of the availability or the loss of integrity of information systems of vital providers, and the manner in which the Minister should process such data. A provider of products and/or services is considered 'vital' if the availability and reliability of its products or services are crucial to Dutch society at large [1].  A vital provider can be a government organisation as well as a private legal entity. According to article 5 WGMC, the WGMC only applies to 'vital companies' that have been designated as such by governmental decree (AMvB), such as the Decree referred to in the first paragraph.

    The selection process of vital providers and processes

    According to the explanatory notes accompanying the Decree, certain processes are of such vital importance to Dutch society, that a system failure or interruption may lead to severe social disruption and, consequently, pose a threat to national security. These processes, taken as a whole, are being referred to as the Dutch vital infrastructure [2].  According to the Decree, whether a process is considered vital, depends on whether the process falls within the vital infrastructure and, more specifically, within one of the categories defined by the Dutch government in 2013, referred to individually as category A and category B [3].  Failures of vital processes in category A could, potentially, have a more significant impact on Dutch society than failures of vital processes in category B. For instance, drinking water is a category A vital process, Internet and data services is a category B vital process. For each vital process, one or more organisations are considered  vital for the continuity and resilience of the process. These organisations are being referred to as vital providers. According to the explanatory notes to the Decree, the identification of vital processes and accompanying vital providers have been identified within a specific category by the line ministry, coordinated by the National Coordinator for Security and Counterterrorism.

    Providers of vital products and processes within ICT and Telecom and Digital Government

    The Decree stipulated which providers of products and services should receive the label "vital" within each vital sector. In the vital sector ICT and Telecom the following two products or services are designated vital processes: (i) providing telephone, SMS or internet access; and (ii) facilitating internet and data traffic. Providers, that have been designated by the Government as 'vital' under the Decree, will be notified.

    (i) providing telephone, SMS or internet access

    According to the explanatory notes to the Decree, providers of electronic communication networks or services, that manage a network or infrastructure, that is used, directly or indirectly, to provide telephone, SMS or internet access services to at least 1,000,000 end consumers, are considered "providers of vital products and services" and, consequently, fall within scope of the reporting obligation of the WCMG. Providers that directly provide services to end consumers, such as Vodafone, Tele2, KPN and T-Mobile, fall within this category, as each of them has nationwide coverage of mobile telephone services and provide services to more than one million end consumers. The Decree furthermore awards the label "provider of vital products and services" to providers that do not directly provide telephone, SMS or internet services to end consumers, but form an essential part of the supply chain (e.g. Eurofiber, see above).

    (ii)  facilitating internet and data traffic

    Pursuant to the explanatory notes to the Decree, facilitating internet- and data traffic is essential for the proper functioning and performance of the Dutch digital infrastructure, which amongst others includes internet, telephone, SMS and data services. Up to 25% of the total data traffic in the Netherlands is handled by so-called internet nodes. An internet node is a network infrastructure that enables the interconnection of more than two independent autonomous systems, mainly with the objective to facilitate internet traffic. Currently, two nodes, AMS-IX and NL-ix, are responsible for the vast majority of the total data traffic. Expressed in port capacity, these nodes facilitate more than 90%. Failure of one of these two nodes may have serious consequences for the digital infrastructure. For this reason the Decree draws the line at a minimum port capacity of 8 terabits per second ("tbp/s"), which is currently equivalent to approximately 25% of the total minimum port capacity of all internet nodes combined. Providers that provide port capacity at 8 tbp/s or more are considered to be "providers of vital products and services" and fall within the scope of the reporting obligation under the WGMC.

    Providers of vital products and services within the sector Digital Government

    According to the assessment made by the Dutch government, the processes, related to the availability and exchange of reliable basic information and the availability of data systems, on which multiple governmental organisations rely, are considered vital infrastructure. According to the explanatory notes to the Decree, the National Commissioner for Digital Government ("NCDG") is, currently, determining which specific providers of such processes should be designated as providers of vital products and services and be subjected to the reporting obligation under the WGMC. In the past, NCGG has amongst others identified the following services, in the domain of identification and authentication and interconnectivity of networks, as vital infrastructure: eID, eHerkenning, Digid, Digipoort, Diginetwerk and certificates/PKI government. Although these services have not been mentioned in the Decree, it is to be expected that they will once more be awarded the label "vital infrastructure" by NCDG.

    Forerunner

    The Decree should be viewed as yet another step of the Dutch government towards the protection of companies that are considered to be of vital importance to Dutch society. Given the recent legislative developments surrounding foreign direct investment control in the Telecom sector in the Netherlands (consultation document) and European Union, being labelled as a provider of vital products or services within the IT and Telecom sector may have far reaching implications in the years to come. We also refer  you to our earlier publications on these topics, as well as our solutions to mitigate the potential impact of any such measures.

    [1] Article 1 Data Processing and Reporting Obligation Act. 
    [2] Explanatory notes to the Decree Reporting Obligation Cybersecurity, p. 7.
    [3] Kamerstukken II 2014/15, 30 821, nr. 23, p. 3