Netherlands - New Cybersecurity Bill announced in anticipation of NIS Directive coming into force
Published 17 May 2016
On 17 May 2016 the Council of the European Union (the “Council”) adopted the EU Network and Information Security Directive (the “Directive”), following which the European Commission supported the Council’s proposal at first reading. It is expected that the European Parliament will give its final sign off of the Directive in early July 2016 and the Directive will come into force in August 2016. Member States will then have 21 months to implement the Directive in their national laws and another 6 months to identify the businesses that will be subject to the obligations of the Directive.
>In anticipation of this the Dutch government introduced in January of this year a legislative proposal for a 'Cyber Security Breach Notification Bill' (the "Bill"). The Bill introduces mandatory notifications of serious security breaches or other incidents affecting the integrity of information systems operators that are considered 'vital' to Dutch society.
The definition of 'vital provider' under the Bill, as set out in an explanatory memorandum, echoes that under the Directive and also includes the telecom and nuclear sectors, as well as finance providers.
Organisations should continue to monitor the national implementation measures of the Directive, both in the Netherlands and across the rest of Europe, to establish whether they are to be listed as a 'vital provider' and so will be subject to the provisions of the Directive.
In any case it would be prudent for organisations to review their cyber security policies and procedures and implement adequate incident response procedures where necessary to ensure they will be compliant with the Directive when it comes into force should they be deemed to come under its scope.
The text of the Bill can be accessed here (Dutch)
An explanatory memorandum can be accessed here (Dutch).