With the ever-increasing level of digitization, many formerly physical assets are becoming digital. Take the storage of personal information, for instance. It is a touchy subject, with the trade-off between convenience and privacy at its core. However, due to their vital impact on our current society, with sometimes sensitive information at stake, certain parts of the digital world require regulation and cooperation to be sustainable.

Back in 2011, the Dutch government implemented the National Cybersecurity Strategy (NCSS), laying a foundation to tackle cybercrime on a nationwide level. Now, seven years later, a new cybersecurity law is to be implemented by the Dutch government, as a result of a decision made by the EU in which all member states are to adhere to the NIS Directive (Directive on Security of Network and Information Systems) before the 9^th of May, 2018.

European regulation calls for intra-national cooperation

Currently, the security of network and information systems differs per member state. Consequently, the unequal level of preparedness affects consumers and companies as well. The gathered information regarding cybersecurity breaches and incidents on a nationwide level often is not shared. Needless to say, valuable experiences are lost with consumers and companies as the eventual victims.

Therefore, the EU has set-up the NIS Directive to harmonise cybersecurity policies between nations, ultimately to support our society and economy by enhancing digital readiness and minimizing cyberincidents. The NIS Directive obliges member states to cooperate with each other. Essentially, member states must compel digital service providers and providers of essential services to proactively take adequate measures in order to manage security risks, prevent incidents and, if incidents do occur, limit their negative consequences. Furthermore, member states must report serious incidents to the appointed authority or the CSIRT (computer security incident response team).

Dutch implementation of the NIS Directive

In the Netherlands, more specifically, the National Cybersecurity Strategy (NCSS) was introduced in 2011. A second version of the strategy was published in 2013. On October 1^st, 2017, a law regarding the processing of data and the duty to report cybersecurity (Wgmc) was enforced. This law already covered a large part of the articles contained by the NIS Directive. On February 15^th, the Dutch minister of Justice and Security proposed a new law regarding cybersecurity. As a result of the new Cybersecurity legislation (Csw), originating from the NIS Directive, the Wgmc shall be withdrawn, as the Csw covers a large part of the Wgmc and adds more to it.

First of all, the Wgmc obliges providers of products or services with a vital importance for the Dutch society to report safety breaches or losses of integrity of their ICT-systems to the Minister of Justice and Security.

Second, the Wgmc registers the duties of the National Cyber Security Centre with respect to the registration of personal data, such as assisting organisations with the restoration or maintenance of the availability and trustworthiness of their products or services. Finally, the Wgmc regulates the conditions under which confidential data related to providers may be shared with third parties.

The adoption of the requirements of the Csw adds to the Wgmc that the Minister of Justice and Security is appointed as the central point of contact for the Netherlands, as the CSIRT for providers of essential services, and as the contact point for voluntary reports of incidents. Providers of essential services must also report breaches that could potentially harm the continuity of their offered services to the National Cyber Security Centre and the Minister of Justice and Security. Under the new law, the organisations remain responsible for deciding what actions are suitable and proportional for endured incidents.

Concludingly, the Netherlands is discussing the adaption of its already present law to fight cybercrime, to take a more structured and cooperative approach to the matter in which cybersecurity breaches are to be detected and resolved as fast as possible.

By Michael Brooijmans, Research Analyst