Contributed By Vondst Advocaten N V
Cyber-security is most importantly addressed in theWbni, which implements the NIS Directive in the Netherlands. Cyber-security breaches should be notified to the Dutch Minister of Security and Justice, and, in most cases, to the competent regulator, which differs per sector.
Data breaches are primarily regulated by the GDPR and the Implementation Act. In addition, sector-specific legislation applies.
Article 34 of the GDPR provides for a notification requirement in the event of data breaches relating to personal data. In the Netherlands, personal data breaches should be notified to the AP, and, depending on the severity of the breach, the data subjects involved. Pursuant to Article 42 of the Implementation Act, financial institutions are exempted from this notification requirement, as they are already subject to a notification requirement laid down in sector-specific rules.
Article 11.3a of the Dutch Telecommunications Act sets out the notification requirement for providers of public electronic communication services. These providers have to notify security breaches that have adverse effects on the personal data processed in connection with the provision of their services to the AP, and, depending on the severity of the breach, to the individuals involved.
The EDBP has provided guidance on the notification requirement in its 2018 guidelines on personal data breach notification under the GDPR (WP 250 rev 01). The AP publishes statistics of all reported data breaches on its website.
The Wbni applies to certain services provided by digital service-providers, operators of essential services and operators of other vital services. Relevant operators and services are assigned in the Bbni. The providers and operators concerned are required to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems that they use in their operations or in the context of offering their services as referred to in the NIS Directive.
The Wbni contains a notification requirement for digital service providers to notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of the service they offer as referred to in the Directive. Operators should notify the competent authority and the Dutch National Cyber Security Centre (‘Nationaal cyber security centrum’) (NCSC), part of the Dutch Ministry of Security and Justice, of incidents having a significant impact on the continuity of the essential services they provide.
Pursuant to Article 4 of the Bbni, the security and notification requirements set forth in the Wbni are not applicable to certain credit institutions, central counterparties and operators of trading venues, as they are already subject to similar security and notification requirements set forth in sector-specific laws.
Security and notification requirements with respect to personal data are set forth in the GDPR, as well as in the Dutch Telecommunications Act. Security and notification requirements applicable to financial institutions are also set forth in sector-specific laws and regulations.
The overarching national cyber-security agency in the Netherlands is the NCSC. The NCSC is the Computer Emergency Response Team (CERT), also known as CSIRT, for the Dutch government. The primary focus groups are the vital infrastructure (eg, for energy, water and telecom) and the government. The NCSC publishes guidance on cyber-security-related topics on its website, including recently on co-ordinated vulnerability disclosure.
The NCSC co-operates with ENISA, which is the centre of expertise for cyber-security in Europe.
Personal data breaches within the meaning of the GDPR should be notified to the AP, using the online data breach notification web form that is available on its website (in Dutch only).
The AP has stated in its principles for supervision for 2018-2019 that it will focus on unreported data breaches and data breaches' causes by or related to serious shortcomings in security. All principles for supervision are published on the AP’s website.
Article 4 of the Wbni assigns the competent regulators per sector for cyber-security incidents.
Financial institutions as referred to in the Dutch Financial Supervision Act (‘Wft’) should notify supervision incidents, including cyber-security incidents and data breaches, to financial supervisor DNB. Certain types of supervision incidents should be notified to another financial regulator, the AFM.
Within the DNB, a separate expert centre named ‘Expertisecentrum Operationale & IT-risico’s’ is established, which specialises in the operational and IT risks at pension funds and insurance companies. Last year’s focus point of this expert centre was cyber-security.