Stricter enforcement of cybersecurity rules to be expected in the Netherlands

This announcement was made in response to an article published by a large Dutch newspaper on 28 September ‘19 in which it addressed that hundreds of Dutch companies and institutions, including the Ministry of Justice and Security, were vulnerable to cyberattacks over the span of months through a vulnerability in their VPN-software. Protecting against this vulnerability required a simple software update, which some of these organisations failed to do as late as four months after this update had become available. This happened despite these organisations having been warned by the National Cyber Security Center (NCSC).

The NCSC, being part of the Ministry of Justice, is expected to follow up on this encouragement by the Minister and may increase its visibility and efforts, including in its capacity as the CSIRT (Computer Security Incident Response Team) for digital service providers. Furthermore, while regulators such as the Data Protection Authority and the Authority Consumer and Market have already used their enforcement powers for security and related matters, the Minister’s statement could be seen as a call to action for regulators and government bodies to make this a (further) priority.

Regulatory cybersecurity obligations in the Netherlands

With the introduction of the GDPR, many organisations have either drafted or updated their security incident plans and data breach plans. Not every company knows, however, that there are a number of other relevant laws that include security obligations (and even notification obligations) that may apply to their organisation. What is more, such cybersecurity and notification obligations are ever increasing.. And by means of a topical side note: not all organisations are aware that in case of a ‘no-deal’ Brexit, companies established in the EU and UK could be subject to two similar data breach notification duties: one under the GDPR and one under the UK Data Protection Act 2018. [i]

Below is a brief description of the various cybersecurity laws and rules that apply to companies operating in and from the Netherlands.

General Data Protection Regulation

The GDPR and its Dutch implementing legislation (Uitvoeringswet AVG) require organisations to take technical and organisational measures to secure processing of personal data, violations of which can result in fines of a maximum of 2% of the worldwide annual turnover. It also contains obligations to notify data protection authorities, data controllers and data subjects of data breaches, as the case may be. While there is helpful guidance on the application of the aforementioned obligations by means of guidelines from the Article 29 Working Party (endorsed by its successor, the European Data Protection Board), there is little practical guidance on the obligation to take ‘technical and organisational measures’. The guidance that exists on the latter, such as a statement by the European Data Protection Board on encryption, is generally broad in nature.

The NISS Act (our coverage of this act can be found here)

The Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, "NISS Act") requires providers of essential services (in sectors such as aviation, energy, drinking water, finance, nuclear power and weirs) and digital service providers (including many providers of online market places, online search engines and SaaS, PaaS or IaaS) to take appropriate technical and organisational measures to manage security risks to their networks and information systems. It also requires taking measures to prevent and minimise the impact of incidents affecting the security of their network and information systems in order to ensure the continuity of those services. If any incidents occur, this must be reported to the relevant authorities, who can impose fines of a maximum of EUR 5 million.

In our experience, many companies are not aware that they might qualify as ‘digital service provider’, and that they are subject to the above mentioned obligations. As such, and against the background of possible increase in enforcement, companies are strongly advised to review whether the NISS Act might apply to their services.

Sector-specific cybersecurity rules

Apart from the general cybersecurity rules and obligations which can be found in the NISS Act and the GDPR, sector-specific rules exist in regulated sectors such as telecoms, health and finance. Examples are the security and notification obligations under the Dutch Telecommunications Act (Telecommunicatiewet), the Financial Supervision Act (Wet op het financieel toezicht) and the recent Regulatory Technical standards for PSD2 for financial institutions. 

Technical and organisational standards

It is not always easy for organisations, especially those operating in sectors without specific cybersecurity standards, to have clear how to comply with the often vague and generic cybersecurity norms provided in laws such as the GDPR and NISS Act. This uncertainty exists despite the fact that the potential risk and impact of enforcement could be substantial.

Thankfully, efforts to provide more guidance on how to attain and maintain good cybersecurity are increasing. For example, the National Cybersecurity Center has provided some guidance, such as guidance for Transport Layer Security. Nonetheless, similar to industry standards such as ISO-norms, none of these guidance documents are binding (or in all cases sufficiently specific). Many organisations resort to specialized advice on how to apply such guidance in their organization and how to ensure cybersecurity compliance.

What might happen following the Minister’s announcement

In our experience, prior to the Minister's announcement, cybersecurity compliance was already getting (some) attention from the NCSC (and regulators appointed pursuant to the NISS), the Data Protection Authority and sector-specific regulators such as ACM and the Dutch National Bank.

With the recent statement, the NCSC, being part of the Ministry of Justice, is expected to follow up on the Minister’s encouragement and may increase its visibility and efforts, including in its capacity as the CSIRT (Computer Security Incident Response Team) for digital service providers. Furthermore, while regulators such as the Data Protection Authority and the Authority Consumer and Market have already used their enforcement powers for security and related matters, the Minister’s statement could be seen as a call to action for regulators and government bodies to make this a (further) priority.

What should companies do?

With a possible increase of enforcement around cyber security from various regulators, companies are especially advised to:

• Inventory (or update) which cyber security rules and regulators they are subject to;
  
  The GDPR is not the only law that covers cyber security, for example, the recent cybersecurity law (NISS Act) includes notification obligations for a broad range of digital service providers and providers of essential services.

• Update their security incident plans to make sure they are update to date; and
  
  A good incident plan goes beyond the GDPR’s obligations and i.a. covers further applicable regulatory obligations (in the Netherlands, Europe and beyond) and important contractual obligations.

• Manage and verify vendors and business partners in an accountable manner.
  
  Contracts often contain elaborate language on security and compliance, but this is not always put to practice or tested from time to time. Increasingly, regulators (data protection authorities especially) have shown that companies should regularly review the compliance of their vendors.

We can assist

If you want to know which cybersecurity rules apply to your business and how or would like advice on how to implement these rules, please feel free to reach out to one of our data protection and cybersecurity experts referred to in this update.

[i] And that is just the data breach obligation under the GDPR: a similar ‘double dip’ could be arise where companies are subject to the local implementation of the Network and Information Services Directive, which also contains notification obligations.