Most Read Contributor in Netherlands, January 2017
The European Parliament approved the final text of the EU
Network and Information Security Directive (NIS Directive) on 6
July 2016. This marks the final stage of a three-year legislative
process on the first EU-wide rules on cybersecurity. The NIS
Directive introduces new information security and notification
obligations for operators of essential services and key digital
service providers. Although member states have approximately two
years to transpose the NIS Directive into national law, the
Netherlands plans to introduce some obligations as early as the end
of 2016 – beginning 2017 under the recently proposed
Cybersecurity Breach Notification Bill. Businesses operating in key
sectors of the economy should review and update their cybersecurity
policies and processes and prepare for the new obligation to report
serious cybersecurity incidents to supervisory authorities.
reported last month, the NIS Directive is expected to enter into force
in August 2016. Member states will then have 21 months to transpose
the NIS Directive into their national laws. The NIS Directive
applies to two categories of market players: operators of essential
services and key digital content providers. The member states will
have six additional months to identify the relevant operators in
the sectors defined in Annex II of the NIS Directive. These include
the energy, banking, financial market infrastructure, drinking
water supply, transportation, healthcare and digital infrastructure
sectors. Relevant operators and providers will be required to: take
appropriate technical and organisational measures to prevent risks
of network and information incidents; ensure the security of
network and information systems; and notify serious cyber incidents
or loss of integrity of vital electronic information systems to
competent supervisory authorities.
This mandatory notification of serious cybersecurity incidents
to supervisory authorities will most likely be imposed by the Dutch
Cybersecurity Breach Notification Bill as early as the end of
2016 – early 2017. As under the NIS Directive, further
regulation will identify specific businesses that meet the
"vital provider" definition under the Bill. The Dutch
government recently issued a memorandum regarding the Bill that
includes an updated list of providers, products and
services that will be used by the Dutch government for identifying
vital providers. This list is shorter than the earlier version proposed in May 2015 and currently does
not include ICT or telecom service providers, payment services or
large-scale processing of chemicals. However, the government
indicated that not all relevant sectors are currently on the list
but will be added at the later stage.
We recommend that businesses operating in the relevant
industries closely monitor the national implementation measures by
the member states, as other countries may take the Dutch approach
in early implementation. We also suggest timely adopting
appropriate cybersecurity policies and implementing risk-based
incident response procedures.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The right to data portability is one of the main and controversial new rights granted by the GDPR to data subjects.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).