After three years of preparation and two public consultation rounds, the first ever cyber security bill was submitted to the Dutch parliament in January 2016. The bill introduces mandatory notification to the Minister of Security and Justice of serious security breaches or loss of integrity of vital ICT systems. It also regulates how governmental organisations should exchange information on cyber security incidents and threats. If adopted, the bill will impose a notification duty on companies operating in various industries, including energy, telecom, financial services, and transportation. Providers of vital services should be aware of this notification duty and update their processes and policies to prepare for the new legislation.
The cyber security bill applies to any national or international provider of products and services the availability or reliability of which are vital to Dutch society (vital providers). Further regulation will designate who vital providers are after the bill is adopted, but the explanatory memorandum provides examples of the industries that will be covered:
- electricity and gas (for example, network operators)
- drinking water (for example, water management bodies)
- finance (for example, banks)
- transport (for example, Schiphol Airport or the Port of Rotterdam).
Some further examples of the relevant sectors can be found in the list of critical infrastructure recently updated by the government. This list also includes inter-bank and retail payment operations, internet services, GPS services, and availability of data systems necessary for multiple governmental organisations to function.
Vital providers will only have to notify actual security breaches or loss of integrity of their vital ICT services. Moreover, only the breaches that could seriously disrupt the availability or integrity of ICT products or services vital to Dutch society fall under the notification duty. For example, a Distributed Denial-of-Service (or DDoS) attack, which only affects the accessibility of an online service without breaching the security or integrity of its IT systems, will not constitute a serious breach of ICT services and does not need to be reported.
The notification is mandatory when the vital provider becomes aware of a breach of security or loss of integrity of its ICT systems which has affected or may affect the availability or reliability of its vital products or services. The notification must be made promptly to the Minister of Security and Justice and will be handled by the National Cyber Security Centre (NCSC). The notification should describe:
- the nature and extent of the breach or loss
- the presumed start of the breach or loss
- the potential impact of the breach or loss
- the estimated recovery period
- the measures taken or to be taken by the vital provider to mitigate the effects of the breach or loss or to prevent recurrence
- the contact details of the officer responsible for the notification
- any information that the NCSC requests in order to assist the vital provider in restoring the availability and reliability of information systems
- any information that the NCSC requests in order to assess the risks to the availability or reliability of information systems of other vital providers.
The NCSC assesses the potential impact of the security or integrity breach, advises vital providers and warns third parties affected by the incident. For now, the NCSC will only have an advisory role and cannot enforce the new statutory rules or impose sanctions for non-compliance.
Confidentiality of information
To prevent reputation damage, vulnerability for security breaches, or damage to the competitive position of the companies involved, the bill introduces specific rules to guarantee the confidentiality and security of information that companies provide in their notifications to the NCSC. These rules include:
- the NCSC may only share information if its confidentiality is sufficiently guaranteed
- this information can be provided and used for specific purposes only
- confidential information traceable to the vital provider can in principle only be shared without the provider’s permission with designated computer crisis teams (CERTs) and Dutch intelligence services
- only under exceptional circumstances and after consultation with the vital provider can the information on the breach or vulnerability be shared with other organisations or made publicly available.
Confidentiality rules will cover all information that the NCSC has about the breach, not only the information provided in a notification. In addition, the Dutch Freedom of Information Act will not apply to information that can be traced to a vital provider (with an exception relating to environmental data).
Relation to other breach notification obligations
The notification duty for vital providers introduced by the bill does not exclude any other existing or potentially overlapping notification obligations, such as mandatory notification of security breaches related to personal data. The notification duty under the bill has a broader scope as it covers all IT security breaches, not only those related to personal data. A security breach that also involves personal data will therefore need to be notified to both the NCSC and the Dutch data protection authority.
In contrast, sector-specific notification obligations, such as an obligation for internet service providers and telecom operators to notify security incidents and loss of the integrity of communication networks and services, are generally broader, because the bill applies only to incidents that could disrupt Dutch society. The vital provider will still need to notify both a sector-specific supervisory authority and the NCSC, and the instructions of the specific supervisory authority will prevail.
Review your processes and prepare for new obligations
The bill will primarily have consequences for vital providers. Companies operating in sectors vital to Dutch society sectors are advised to review their internal processes and policies and adapt these to comply with future notification obligations and information sharing with the NCSC.