As of 9 November 2018 new legislation on network and information systems security and security incident reporting will apply in the Netherlands. A new act to this effect was adopted in parliament on 16 October 2018 and formally published in the Government Gazette today.
The Network and Information Systems Security Act (in Dutch officially the Wet beveiliging netwerk- en informatiesystemen, or in short "Wbni", and hereafter referred to as "NISS Act") implements the EU NIS Directive (Directive (EU) 2016/1148). Its security and security incident reporting requirements will affect a broad range of digital service providers, including many providers of Software, Platform or Infrastructure as a Service (SaaS, PaaS or IaaS), and operators of essential services.
Under the new NISS Act providers of cloud computing services, as well as providers of online market places and online search engines will be required to take appropriate technical and organisational measures to manage security risks to their networks and information systems and take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems, with a view to ensuring the continuity of those services. They will also be required to report security incidents to the authorities if they inadvertently occur and have a substantial impact on their services.Digital service providers (DSP)
These requirements will apply to digital service providers offering services in the EU which have their main establishment in the Netherlands. Providers with a main establishment in another EU member state will be subject to similar requirements in that state. A digital service provider within the meaning of the act that is not established in the EU is required to designate a representative in one of the member states. Smaller providers, with less than 50 employees or an annual turnover or annual balance sheet total of less than EUR 10 million are exempt from these requirements.
The act does not specify in detail who qualifies as provider of 'cloud computing services', 'online market places' and 'online search engines', but guidance provided by the Ministry of Economic Affairs and Climate suggests that these categories should be interpreted relatively broadly. This means for example that many providers of Software, Platform or Infrastructure as a Service (SaaS, PaaS or IaaS) will qualify as a cloud computing services provider and need to comply with the new security and incident reporting requirements of the NISS Act.
The guidance of the Ministry of Economic Affairs and Climate also provides some information on procedures and thresholds for security incident reporting and on the type of security measures to be taken, which are set out in more detail in the new act and in (EU) implementing decisions.
Operators of essential services (OES)
Similar requirements will apply to operators of essential services in for example the financial and energy sectors, although they will be subject to a stricter supervision regime than digital service providers. (The categories of) operators of essential services, to whom these requirements apply, will be specifically designated by decree and will generally be contacted by the authorities proactively. Generally these operators will already be subject to existing security breach reporting law applicable to operators of vital infrastructures. This existing law has now been absorbed into the new act.
Relation to the General Data Protection Regulation (GDPR)
The NISS Act introduces security and incident reporting requirements in addition to existing requirements set out in the General Data Protection Regulation (GDPR) in relation to the processing of personal data. The two legal regimes have different purposes. The aim of the NISS Act is to boost the overall level of cybersecurity, in view of the importance of network and information systems to society, whereas the GDPR's aim is to protect personal data. Nevertheless, the two regimes overlap to some extent, both in aim and in effect, and it makes sense to align measures and procedures to be taken according to this new act with those already taken in the context of GDPR compliance. The consequence of the two separate regimes remains that security incidents may need to be reported separately to both the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the authorities designated by this new act to receive security incident reports.
Supervision and enforcement
Depending on the type of service and the sector, the new act will be enforced by different competent authorities. However, the main competent authority, also with regard to the supervision of digital service providers, is the Dutch Telecommunications Agency (Agentschap Telecom).
The Telecommunications Agency has performed a similar role since 2010 in relation to sector specific security legislation for the telecommunications sector. The agency has the usual investigative and enforcement powers for regulators in the Netherlands. For violations of the NISS Act the agency can impose fines up to a maximum of five million euro depending on the nature of the violation.
Supervision of digital service providers will be largely reactive. Operators for essential services will be subject to a stricter and more proactive regime. This means for example that they can be instructed to have security audits performed.