https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/IT-recht/programmeren.jpg

NIS2 - cybersecurity directive/ European and Dutch national developments

03 Feb '23

Author(s): Hugo van Aardenne and Jouko Barensen

On 27 December 2022, the NIS2 directive, the cybersecurity directive for the vital sectors, was published. It is now up to member states to transpose this comprehensive directive into national law. By October 2024, the directive must be transposed and national law under the NIS2 must be applied.

In the meantime, the national legislative process has to be completed, regulators have to get ready and the vital sectors have to implement the cybersecurity rules. Waiting is then not an option. Indeed, implementing these rules on time is actually positive for the European economy, according to Moody's.

The first cybersecurity directive (NIS1) applies to seven sectors. The NIS2 applies to as many as 18 sectors. And a legitimate and common question is; what will the oversight look like? Who will supervise which sector?

Oversight of cybersecurity policies

Currently - February 2023 - the following authorities are supervising the Security of Network and Information Systems Act (Wbni), which is the Dutch implementation of NIS1 Directive (see here).

  • State Inspection Digital Infrastructure (RDI as of 1 January 2023)
  • Dutch Central Bank (DNB)
  • Human Environment and Transport Inspectorate (ILT)
  • Healthcare and Youth Care Inspectorate (IGJ)

These authorities are now designated as regulators for their specific sectors. Article 8 of the NIS2 stipulates that each Member State shall itself designate or establish one or more competent authorities. Those authorities will then be responsible for cybersecurity and entrusted with the supervisory tasks under the NIS2 directive. The already existing and possibly new supervisory authorities will have their place in the Wbni. It is therefore good for all existing and new sectors to keep an eye on developments in that area, to determine who will soon come to test your cybersecurity policy.

Wbni increasingly widely used

Special in that context is that the Wbni covers more (and increasingly more) than the implementation of European cybersecurity rules. For instance, the national legislator has also designated other sectors not covered by the NIS directive. Think, for example, of the ‘waterflood infrastructure’ and 'nuclear' sectors. In this sense, the Wbni is used for more components than implementation the NIS1 and NIS2 directives.

Besides the sectors identified as vital, the Wbni also provides rules that deal with the non-vital sectors. Those rules are not about security requirements they have to comply with, but about a legal basis to share threat information.

Indeed, until 1 December 2022, the National Cyber Security Centre (NCSC) was not allowed to share readily available threat information with companies outside the vital sectors covered by the NCSC. From 1 December 2022, a change in the law came into force that does allow this. It is therefore possible that your company - if not part of a vital sector - can still receive very specific threat information from the NCSC about a possible incident.

In addition, from 1 December 2022, a provision (section 20(2)(a) Wbni) also came into force that allows the NCSC to share threat information with so-called 'switching organisations'.

These organisations have been designated as link organisations through the Minister of Justice and Security and the NCSC. They are currently - February 2023 - the following organisations.

  • the Digital Trust Centre, part of the Ministry of Economic Affairs and Climate;
  • the Abuse Information Exchange Association;
  • the National Internet Providers Management Organisation Foundation;
  • the Brainport Cyber Resilience Centre Foundation;
  • the Association Cyberveilig Nederland;
  • the Connect2Trust Foundation;
  • the FERM Foundation.

In summary; developments are following each other in rapid succession. Unfortunately, this is also desperately needed because the threats are not imaginary but real. So the cybersecurity landscape is legalising just as fast. If you want to know more about this, broadly, in more detail or specifically what this means for your organisation, we are at your service.

Contact

Attorney at law

Hugo van Aardenne

Expertises:  Fraud and white collar crime, Administrative law, Cybersecurity , Enforcement and sanctions, International Sanctions and Export Controls, Interne onderzoeken,

Attorney at law

Jouko Barensen

Expertises:  Fraud and white collar crime, Administrative law, Waste law, Environmental criminal law, Cybersecurity , Transport and Logistics, BRZO, Enforcement and sanctions,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.