On 1 October 2017, the data processing and reporting cybersecurity law (Wet gegevensverwerking en meldplicht cybersecurityWgmc) entered into force. The reporting obligation under this law will take force as per 1 January 2018. The notification obligation applies only to what are known as ‘vital operators’: public bodies and private legal entities providing products or services whose availability and reliability are of vital importance to Dutch society (such as electricity, gas, nuclear, water, telecom, transportation (main ports of Rotterdam and Schiphol), finance and government (including primary defenses)). Security incidents should be reported to the National Cyber Security Centre (NCSC) of the Ministry of Security and Justice.