NIS2 - cybersecurity directive/ European and Dutch national developments

Oversight of cybersecurity policies

Currently - February 2023 - the following authorities are supervising the Security of Network and Information Systems Act (Wbni), which is the Dutch implementation of NIS1 Directive (see here).

• State Inspection Digital Infrastructure (RDI as of 1 January 2023)
• Dutch Central Bank (DNB)
• Human Environment and Transport Inspectorate (ILT)
• Healthcare and Youth Care Inspectorate (IGJ)

These authorities are now designated as regulators for their specific sectors. Article 8 of the NIS2 stipulates that each Member State shall itself designate or establish one or more competent authorities. Those authorities will then be responsible for cybersecurity and entrusted with the supervisory tasks under the NIS2 directive. The already existing and possibly new supervisory authorities will have their place in the Wbni. It is therefore good for all existing and new sectors to keep an eye on developments in that area, to determine who will soon come to test your cybersecurity policy.

Wbni increasingly widely used

Special in that context is that the Wbni covers more (and increasingly more) than the implementation of European cybersecurity rules. For instance, the national legislator has also designated other sectors not covered by the NIS directive. Think, for example, of the ‘waterflood infrastructure’ and 'nuclear' sectors. In this sense, the Wbni is used for more components than implementation the NIS1 and NIS2 directives.

Besides the sectors identified as vital, the Wbni also provides rules that deal with the non-vital sectors. Those rules are not about security requirements they have to comply with, but about a legal basis to share threat information.

Indeed, until 1 December 2022, the National Cyber Security Centre (NCSC) was not allowed to share readily available threat information with companies outside the vital sectors covered by the NCSC. From 1 December 2022, a change in the law came into force that does allow this. It is therefore possible that your company - if not part of a vital sector - can still receive very specific threat information from the NCSC about a possible incident.

In addition, from 1 December 2022, a provision (section 20(2)(a) Wbni) also came into force that allows the NCSC to share threat information with so-called 'switching organisations'.

These organisations have been designated as link organisations through the Minister of Justice and Security and the NCSC. They are currently - February 2023 - the following organisations.

• the Digital Trust Centre, part of the Ministry of Economic Affairs and Climate;
• the Abuse Information Exchange Association;
• the National Internet Providers Management Organisation Foundation;
• the Brainport Cyber Resilience Centre Foundation;
• the Association Cyberveilig Nederland;
• the Connect2Trust Foundation;
• the FERM Foundation.

In summary; developments are following each other in rapid succession. Unfortunately, this is also desperately needed because the threats are not imaginary but real. So the cybersecurity landscape is legalising just as fast. If you want to know more about this, broadly, in more detail or specifically what this means for your organisation, we are at your service.