NL – Cybersecurity Legislation in the Netherlands

In the Netherlands a few laws have been issued:

  • NIS directive → Csw → Wbni (Vital)
  • BRZO (Explosive Mixtures)
  • GDI → Wdo (Government)
  • Wgmc → Wbni (Vital)

The European NIS Directive (NIB Richtijn) have been changed into a new law, the Csw (Cyber security set). This law has been accepted by the ‘Tweede Kamer’ of the Dutch parliament on the 29th of May 2018 and changed name into Wbni (Wet beveiliging netwerk- en informatiesystemen), accepted by the ‘Eerste Kamer’ on 16-10-2018 and came into force on 9-11-2018.

The Wbni is applicable to the vital infrastructure only, so not to all companies and people in the Netherlands. The law is applicable to the Dutch Government, Telecom and Nuclear Industry, as well as Energy, Transport, Banking, Finance, Health Care, Water and Internet Services. The companies applicable have received a letter from the Government to enforce compliance.

However, all companies that have activities with explosive mixture, also have to comply to the BRZO (Besluit Risico’s Zware Ongevallen) issued in 2015. The BRZO puts Security, both Physical and Cybersecurity, as part of Safety as legislation, so part of the HSSE responsibilities.

The BRZO mandates the following:

  • Exchange of information internationally to avoid or to mitigate
  • Organisational security requirements (e.g. training, access)
  • Personnel security requirements (e.g. Good Behaviour Certificate [VOG])
  • Civil security requirements (e.g. blast walls)
  • Electronic security requirements (e.g. CCTV, card readers)
  • ICT-Security requirements (e.g. firewalls)
  • Prove that Cybersecurity is managed

The Dutch government has accepted a law, Wgmc (Wet gegevensverwerking en meldplicht cybersecurity), that makes the reporting of cyber incidents mandatory on 11th of July 2017 for all companies. The reporting should be addressed to the Nationaal Cyber Security Centrum (NCSC) acting on behalf of the Secretary of State of Safety and Justice (Minister van Veiligheid en Justitie).

Both the NCSC and DTC (Digital Trust Center) have the task to advise the industry. The NCSC should advise the Vital sectors and the DTC should advise the rest, MKB (Midden en Klein Bedrijf) and the large companies not part of vital. Both organisations are part of the Ministry of Economic Affairs. On top of that the NCSC is also the organisation that acts on behalf of the Secretary of State of Safety and Justice (Minister van Veiligheid en Justitie).

Wdo (Cybersecuritywet voor de Overheid) is a new law, Law Digital Government (previously called) the General Digital Infrastructure (GDI) consists of Standards, Products and Services to be used by the Dutch Government, Public Organisations and some private companies that work for the government. The focus is on usability and therefore it is constantly in motion for improvements.

In the Netherlands the GDPR is also applicable, as described for the EU. The EU also has created a new enforcement of the laws issued as part of Europol. Europol has set up the European CyberCrime Centre (EC3) started on the 1st of Jan 2013 with the objective “to strengthen the law enforcement response to cybercrime in the EU and with that to help protect European citizens, businesses and governments from online crime.” The EC3 takes a three-step approach to the fight against cybercrime: forensics (finding out what happened based on the traces left behind), strategy and operations.