Current status of implementation

The Dutch NIS Directive implementation Act is currently a Bill ("the Bill"). The NIS Directive will be implemented by the Cybersecurity Act, which currently exists in the form of a draft. The (first) consultation version was published on 16 June 2017. This consultation expired on 16 July 2017 and we are currently waiting for the responses to be processed. The date the draft Cybersecurity Act will come into effect is currently unknown.

Implementation Act

Draft "Cybersecurity Act".

Determination of operators of essential services (Art. 5 NIS)

The draft Cybersecurity Act states that essential operators will be appointed from the same sectors as mentioned by Annex II to the NIS-Directive, namely Energy, Transportation, Banking, Infrastructure for the financial market, Healthcare, Supply of drinking water and Digital infrastructure. Essential operators will be appointed by governmental decree based on criteria which are currently unknown and on a date which has not yet been confirmed.
Reporting obligations

Operators of essential services are obliged to immediately notify the following events to the National Cyber Security Centre (Article 10 of the draft Cybersecurity Act):

  1. Incidents with significant consequences for the continuity of the essential service (NB: these incidents must also be notified to the competent authority); 
  2. Breaches of the security of network and information systems which may have significant consequences for the continuity of the essential service; and
  3. Incidents at digital service providers if these incidents have significant consequences for the continuity of the essential service.

Digital service providers  are required to notify incidents with significant consequences for the continuity of the digital service to the Cyber Security Incident Response Team and the competent authority (Article 13 of the draft Cybersecurity Act). However, notification is only mandatory if the digital service providers  has access to the information required to determine whether the incident has significant consequences for the continuity of the digital service in question.

Sanctions regime

The draft Cybersecurity Act provides for the following administrative fines:

  1. up to EUR 5 million for any breach of the Cyber Security Act by essential service operators or digital service providers; 
  2. a maximum of EUR 1 million for failing to cooperate with a request for further information from the National Cyber Security Centre; and
  3. a maximum fine of EUR 1 million for failure to adequately cooperate with supervisory authorities exercising their competencies.
Competent authorities

The following authorities have been appointed as the competent authorities: 

  • For the Energy and Digital Infrastructure sectors: the Minister of Economic Affairs;
  • For the Banking and Financial Market Infrastructures sectors: the Dutch National Bank ("DNB");
  • For the Transport and Drinking water supply and distribution sectors: the Minister of Infrastructure and Water Management; and 
  • For the Health sector: the Minister of Health, Welfare and Sports.

The Minister of Economic Affairs has been appointed as the competent authority for digital service providers.

The competent authorities will (at a currently unknown date) appoint the sectoral supervisory authorities.

Jurisdictional applications

According to the draft Cybersecurity Act, operators of essential services can be either private or public entities, but the draft does not contain a determination with regard to the territorial scope. However, departing from a related governmental decree (see under "Remarks"), application of the Act will most likely be limited to operators offering services within the Netherlands. However,  it will not always be required for the operator's main establishment to be located in the Netherlands.

Digital service providers  can exclusively be legal entities and are subject to the (draft) Cybersecurity Act if their main establishment is located in the Netherlands or if they offer online marketplace, online service engine or cloud computing services in the Netherlands.

Remarks (if any)

In addition to essential operators, an obligation to notify will exist for other 'vital providers', which will be appointed from (as a minimum) the sectors Nuclear and Weirs. These other vital operators will be appointed by governmental decree at a currently unknown date by currently unknown criteria. At the present time, it does not look like there will be any supervision or sanctions for violation of the notification requirement by vital operators which are not classified as essential operators. However, the parliamentary history of the draft Cybersecurity Act specifically mentions that it might be decided that supervision and sanctions will be applied to this group of providers in the future. 

The draft Cybersecurity Act implementing the NIS Directive is antedated by a national law ('Wet gegevensverwerking en meldplicht cybersecurity'), which came into force on 1 January 2018 and will be withdrawn as soon as the draft Cybersecurity Act comes into force. Under the national law, there is no supervision and no sanctions apply to any breaches. Additionally, under the national law, vital operators (which include operators in the sectors mentioned in Annex II of the NIS-Directive) have been appointed by decree. It is expected that approximately 60 organisations qualify as 'vital' under this decree and only ten to twenty incidents will require notification per year. It is important to note that the selection of vital operators in the decree differs from the list of essential operators of the Directive, leaving, for example, the entire Health sector out. It is expected, however, that the list of essential operators and other vital operators to be appointed under the draft Cybersecurity Act will be (heavily) inspired by this selection.

Last reviewed 28.02.2018