Cyber resilience of Dutch society

Digital resilience of society; that is what the 'Network and Information Systems Security Act' (Wbni) is about. This Act designates specific parts of society that must be protected against digital attacks and vulnerabilities. For each component, the law indicates who must comply with what requirements and when. There are major differences and it is very important to know exactly if, and to what extent, a company must comply with the Wbni.

An introduction of the Wbni as protection of the digital resilience of Dutch society can be helpful in that respect. The Wbni identifies specific parts of society that must be protected.

Those specific parts are:

• Vital operators
• Digital service providers
• Parts of the central government

Vital/ operators of essiential services

The group of vital operators is again divided into sectors:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Care
• Supply and distribution of drinking water
• Digital infrastructure

Rights and obligations

The Wbni and the Decree on the Wbni (Bbni) further define these three components. Based on the Wbni, operators of essential services and digital service providers have certain rights and obligations because they have an important function in Dutch society and the economy.

Right to information

Operators of essential services and digital service providers receive confidential threat information which they can use to defend their services and systems. Various organisations have been given a task in this respect on the basis of Article 3 of the Wbni.

• The NCSC as central contact point,
• the CSIRT (Computer security incident response team) for essential services
• organisations whose objective is to inform other organisations or the public (OKTTs)
• other computer crisis teams designated by ministerial regulation
• providers of Internet access and communication services for the purpose of informing users of those services

Duty of care and duty to report

Operators of essential services and digital service providers have a duty of care for the security of their systems. And they have an obligation to report incidents. The reports of the vital providers must be submitted to the NCSC and to the competent authority for the sector. Digital service providers must report to a designated CSIRT and the competent authority for the digital service provider.

If they (the NCSC or the CSIRT) subsequently request information, there is an obligation to provide that information.

Enforcement

According to the Wbni, the competent authority has the possibility of using administrative enforcement instruments such as the imposition of an audit, the issuing of a binding instruction, an administrative order and the imposition of a fine of up to 5 million euro. The enforcement chapter of the Wbni applies exclusively to providers of essential services and digital service providers. The Act prescribes the competent authority for providers of essential services and digital service providers:

• Minister of Economic Affairs and Climate Change
• De Nederlandsche Bank N.V.
• Minister of Infrastructure and Water Management
• Minister for Medical Care