The Networks and Information Systems (Security) Act [Wet Beveiliging Netwerk- en Informatiesystemen, Wbni], known as the Cyber Security Act, came into force on 09 November 2018. The objective of this Act, which serves to implement the European Network and Information Security Directive (the NIS Directive), is to improve the digital resilience of the member states as well as their mutual cooperation, in order to make Europe more secure when it comes to digital matters. The coming into force of the Cyber Security Act means that The Data Processing and Cybersecurity Notification Obligation Act [Wet gegevensverwerking en meldplicht cybersecurity, Wgmc], which was introduced in 2017, ceases to have effect.
The key aspects of the new law are the extension of the existing obligation to notify, which already applies to all vital providers (such as drinking water companies, energy companies and banks), to digital service providers, and the introduction of a duty of care.
Who are ‘digital service providers”?
Digital service providers are providers of online market places, online search engines, and cloud service providers. Under the new NIS Directive, non-EU providers who do not have a principal establishment in an EU country must appoint a representative in the EU.
The Cyber Security Act only applies to companies who have a principal establishment or a representative in the Netherlands. In other cases, the legislation of the other EU member state in question shall apply. Companies with fewer than 50 employees and a balance sheet total or annual turnover of less than 10 million euro fall outside the scope of the Cyber Security Act.
Protection of essential services
The Cyber Security Act identifies two groups of providers that are regarded as ‘vital providers’: (1) providers of an essential service and (2) providers of another service of which the continuity is vital to Dutch society. These parties are identified by the government by means of orders in council. The criteria for identification are described in Annex II and Article 5 of the NIS Directive. Examples are electricity companies, airline companies, road authorities, internet exchange points and DNS service providers.
What criteria must the providers meet?
Besides the obligation to notify, the identified vital providers and digital service providers must take appropriate and proportionate technical and organisational measures to control the risks to the security of their networks. Having regard to the state of the art, the measures must ensure a level of security appropriate to the risks posed. Assessment of these measures must take into account the security of systems and provisions, the control over operational continuity and compliance with international standards. Moreover, digital service providers and providers of essential services must take appropriate measures to prevent incidents and to limit the consequences of incidents as much as possible.
Obligation to notify
Digital service providers are obliged to notify the relevant Computer Security Incident Response Team (CSIRT) and the competent authority (a different one for each sector). Providers of essential services are obliged to notify the Minister of Justice and Security’s National Cyber Security Centre (NCSC) and the competent authority (particular to each sector) if that incident has a significant impact on the continuity of the essential service they provide. The Ministry of Economic Affairs and Climate Policy recently published a brochure about Cyber Security for digital service providers. According to this brochure, an incident has a significant impact if, at any rate: the service is unavailable in the EU for more than 5,000,000 user hours, the incident has a negative impact for more than 100,000 users in the EU, one or more users in the EU suffer(s) more than 1,000,000 euro’s worth of damages, there was a risk to public safety, public security or the risk of human loss of life.
The competent authorities (particular to each sector) may impose on providers of essential services the obligation to allow an independent expert to investigate whether the measures taken fulfil the duty of care. In the event of a violation of the Cyber Security Act, the competent authority may impose an administrative fine of up to 5 million euro.