The Dutch NIS Directive implementation Act is currently a Bill ("the Bill"). The NIS Directive will be implemented by the Cybersecurity Act, which currently exists in the form of a draft. The (first) consultation version was published on 16 June 2017. This consultation expired on 16 July 2017 and we are currently waiting for the responses to be processed. The date the draft Cybersecurity Act will come into effect is currently unknown.
Draft "Cybersecurity Act".
Operators of essential services are obliged to immediately notify the following events to the National Cyber Security Centre (Article 10 of the draft Cybersecurity Act):
Digital service providers are required to notify incidents with significant consequences for the continuity of the digital service to the Cyber Security Incident Response Team and the competent authority (Article 13 of the draft Cybersecurity Act). However, notification is only mandatory if the digital service providers has access to the information required to determine whether the incident has significant consequences for the continuity of the digital service in question.
The draft Cybersecurity Act provides for the following administrative fines:
The following authorities have been appointed as the competent authorities:
The Minister of Economic Affairs has been appointed as the competent authority for digital service providers.
The competent authorities will (at a currently unknown date) appoint the sectoral supervisory authorities.
According to the draft Cybersecurity Act, operators of essential services can be either private or public entities, but the draft does not contain a determination with regard to the territorial scope. However, departing from a related governmental decree (see under "Remarks"), application of the Act will most likely be limited to operators offering services within the Netherlands. However, it will not always be required for the operator's main establishment to be located in the Netherlands.
Digital service providers can exclusively be legal entities and are subject to the (draft) Cybersecurity Act if their main establishment is located in the Netherlands or if they offer online marketplace, online service engine or cloud computing services in the Netherlands.
In addition to essential operators, an obligation to notify will exist for other 'vital providers', which will be appointed from (as a minimum) the sectors Nuclear and Weirs. These other vital operators will be appointed by governmental decree at a currently unknown date by currently unknown criteria. At the present time, it does not look like there will be any supervision or sanctions for violation of the notification requirement by vital operators which are not classified as essential operators. However, the parliamentary history of the draft Cybersecurity Act specifically mentions that it might be decided that supervision and sanctions will be applied to this group of providers in the future.
The draft Cybersecurity Act implementing the NIS Directive is antedated by a national law ('Wet gegevensverwerking en meldplicht cybersecurity'), which came into force on 1 January 2018 and will be withdrawn as soon as the draft Cybersecurity Act comes into force. Under the national law, there is no supervision and no sanctions apply to any breaches. Additionally, under the national law, vital operators (which include operators in the sectors mentioned in Annex II of the NIS-Directive) have been appointed by decree. It is expected that approximately 60 organisations qualify as 'vital' under this decree and only ten to twenty incidents will require notification per year. It is important to note that the selection of vital operators in the decree differs from the list of essential operators of the Directive, leaving, for example, the entire Health sector out. It is expected, however, that the list of essential operators and other vital operators to be appointed under the draft Cybersecurity Act will be (heavily) inspired by this selection.
Last reviewed 28.02.2018
NIS Directive and the energy sector: a patchwork of national implementations
Cyber security: the regulators bare their teeth
D Day for NISD as the EU's Network and Information Systems Directive (NISD) is implemented on May 9, 2018
What is NISR and who is impacted?
What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?
NISR: Key deadline ahead as UK DSPs must register by November 1, 2018
NISD: First key deadline as Essential Operators required to register by August 10, 2018
As the implementation date of the NIS Directive approaches we ask: are Digital Service Providers (DSPs) aware of their compliance obligations?
Last month, we launched our 5th Global Women’s Development Programme with 20 associates from across the firm. The p… https://t.co/Z99ScgyKzW
We are now only a week away from our Annual TechLaw Event where we will discuss practical tips and some of the lega… https://t.co/4s8t7pAkza
The EC is proposing to regulate digital operational resilience for the #financialsector which could impact ICT serv… https://t.co/QVt1h6aqZc