https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Algemeen/office-1209640_1920.jpg

Cyber resilience of Dutch society

22 Nov '21

Digital resilience of society; that is what the 'Network and Information Systems Security Act' (Wbni) is about. This Act designates specific parts of society that must be protected against digital attacks and vulnerabilities. For each component, the law indicates who must comply with what requirements and when. There are major differences and it is very important to know exactly if, and to what extent, a company must comply with the Wbni.

An introduction of the Wbni as protection of the digital resilience of Dutch society can be helpful in that respect. The Wbni identifies specific parts of society that must be protected.

Those specific parts are:

  • Vital operators
  • Digital service providers
  • Parts of the central government

Vital/ operators of essiential services

The group of vital operators is again divided into sectors:

  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Care
  • Supply and distribution of drinking water
  • Digital infrastructure

Rights and obligations

The Wbni and the Decree on the Wbni (Bbni) further define these three components. Based on the Wbni, operators of essential services and digital service providers have certain rights and obligations because they have an important function in Dutch society and the economy.

Right to information

Operators of essential services and digital service providers receive confidential threat information which they can use to defend their services and systems. Various organisations have been given a task in this respect on the basis of Article 3 of the Wbni.

  • The NCSC as central contact point,
  • the CSIRT (Computer security incident response team) for essential services
  • organisations whose objective is to inform other organisations or the public (OKTTs)
  • other computer crisis teams designated by ministerial regulation
  • providers of Internet access and communication services for the purpose of informing users of those services

Duty of care and duty to report

Operators of essential services and digital service providers have a duty of care for the security of their systems. And they have an obligation to report incidents. The reports of the vital providers must be submitted to the NCSC and to the competent authority for the sector. Digital service providers must report to a designated CSIRT and the competent authority for the digital service provider.

If they (the NCSC or the CSIRT) subsequently request information, there is an obligation to provide that information.

Enforcement

According to the Wbni, the competent authority has the possibility of using administrative enforcement instruments such as the imposition of an audit, the issuing of a binding instruction, an administrative order and the imposition of a fine of up to 5 million euro. The enforcement chapter of the Wbni applies exclusively to providers of essential services and digital service providers. The Act prescribes the competent authority for providers of essential services and digital service providers:

  • Minister of Economic Affairs and Climate Change
  • De Nederlandsche Bank N.V.
  • Minister of Infrastructure and Water Management
  • Minister for Medical Care

Contact

Attorney at law

Hugo van Aardenne

Expertises:  Fraud and white collar crime, Administrative law, Cybersecurity , Enforcement and sanctions, International Sanctions and Export Controls, Interne onderzoeken,

Attorney at law

Jouko Barensen

Expertises:  Fraud and white collar crime, Administrative law, Waste law, Environmental criminal law, Cybersecurity , Transport and Logistics, BRZO, Enforcement and sanctions,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.