NL – Cybersecurity Legislation in the Netherlands

In the Netherlands a few laws have been issued:

  • NIS directive → Csw → Wbni (Vital)
  • BRZO (Explosive Mixtures)
  • GDI → Wdo (Government)
  • Wgmc → Wbni (Vital)
  • EU GDPR NL GDPR (All)
  • NIS2 end 2024 (All)

The European NIS Directive (NIB Richtijn) have been changed into a new law, the Csw (Cyber security set). This law has been accepted by the ‘Tweede Kamer’ of the Dutch parliament on the 29th of May 2018 and changed name into Wbni (Wet beveiliging netwerk- en informatiesystemen), accepted by the ‘Eerste Kamer’ on 16-10-2018 and came into force on 9-11-2018.

All 27 European Member States have time until end 2024, i.e. 17th of October 2024 to include the NIS2 guidelines into their national legislation. The NIS2 Directive is the EU-wide law on cybersecurity. Unlike the previous iteration of the NIS directive, the EU’s NIS2 seeks to harmonise requirements across member states by setting out minimum rules for regulatory frameworks and establishing clearer and stronger minimum cybersecurity measures that must be implemented.

Under NIS2, “significant” incidents shall be reported to the national Computer Security Incident Response Teams (CSIRTs) or their competent authority within 24 hours. NIS2 introduces a three-step process for reporting deadlines:

  • An early warning within 24 hours
  • Followed by a full notification within 72 hours
  • A final report shall be issued within one month

What do you have to do because of the new NIS2 legislation?

  • Completing a risk assessment and having sufficient information system security policies in place
  • Preventing, detecting, and responding to incidents appropriately
  • Crisis management and operational continuity in the case of a major cyber incident
  • Ensuring the security of their supply chain, including providers of data processing or storage services
  • Ensuring the security of their network and information systems, from the acquisition to the development and maintenance stages
  • Having policies and procedures in place that assess the effectiveness of cybersecurity risk management practices
  • Create an Asset Inventory and ensure that all assets are safely handled and utilized
  • Implement multi-factor authentication (MFA) whenever appropriate and wherever possible
  • Deliver cybersecurity training programs to improve users’ cybersecurity awareness and hygiene
  • Using cryptography and encryption

But more legislation is applicable. The Wbni is applicable to the vital infrastructure only, so not to all companies and people in the Netherlands. The law is applicable to the Dutch Government, Telecom and Nuclear Industry, as well as Energy, Transport, Banking, Finance, Health Care, Water and Internet Services. The companies applicable have received a letter from the Government to enforce compliance.

However, all companies that have activities with explosive mixture, also have to comply to the BRZO (Besluit Risico’s Zware Ongevallen) issued in 2015. The BRZO puts Security, both Physical and Cybersecurity, as part of Safety as legislation, so part of the HSSE responsibilities.

The BRZO mandates the following:

  • Exchange of information internationally to avoid or to mitigate
  • Organisational security requirements (e.g. training, access)
  • Personnel security requirements (e.g. Good Behaviour Certificate [VOG])
  • Civil security requirements (e.g. blast walls)
  • Electronic security requirements (e.g. CCTV, card readers)
  • ICT-Security requirements (e.g. firewalls)
  • Prove that Cybersecurity is managed

The Dutch government has accepted a law, Wgmc (Wet gegevensverwerking en meldplicht cybersecurity), that makes the reporting of cyber incidents mandatory on 11th of July 2017 for all companies. The reporting should be addressed to the Nationaal Cyber Security Centrum (NCSC) acting on behalf of the Secretary of State of Safety and Justice (Minister van Veiligheid en Justitie).

Both the NCSC and DTC (Digital Trust Center) have the task to advise the industry. The NCSC should advise the Vital sectors and the DTC should advise the rest, MKB (Midden en Klein Bedrijf) and the large companies not part of vital. Both organisations are part of the Ministry of Economic Affairs. On top of that the NCSC is also the organisation that acts on behalf of the Secretary of State of Safety and Justice (Minister van Veiligheid en Justitie).

One of the steps that the Dutch Government took to avoid miscommunications is to merge the National Cyber Security Center (NCSC), the Cyber Security Incident Response Team (CSIRT) and the Digital Trust Center (DTC) into one organisation to start in 2026 called CSIRT.

Wdo (Cybersecuritywet voor de Overheid) is a new law, Law Digital Government (previously called) the General Digital Infrastructure (GDI) consists of Standards, Products and Services to be used by the Dutch Government, Public Organisations and some private companies that work for the government. The focus is on usability and therefore it is constantly in motion for improvements.

In the Netherlands the GDPR is also applicable, as described for the EU. The EU also has created a new enforcement of the laws issued as part of Europol. Europol has set up the European CyberCrime Centre (EC3) started on the 1st of Jan 2013 with the objective “to strengthen the law enforcement response to cybercrime in the EU and with that to help protect European citizens, businesses and governments from online crime.” The EC3 takes a three-step approach to the fight against cybercrime: forensics (finding out what happened based on the traces left behind), strategy and operations.