This proposal for a Cybersecurity Act seeks to implement the European Union's so-called NIB Directive (Directive 2016/1148). Because of substantive consistency and overlap, the provisions of the future Data Processing and Reporting Obligation Cybersecurity Act (currently pending as a bill in the Senate) will be transferred to the Cybersecurity Act.
Purpose of the regulation
Implementation of EU Directive 2016/1148, which includes, in particular, the following obligations:
designation, by each member state, of the "providers of an essential service" in that member state;
obligation for providers of essential and digital services to secure their ICT and report serious incidents;
supervision and sanctions by one or more competent authorities;
designation of one central point of contact;
designation of one or more computer security incident response teams (CSIRTs) to provide advice and assistance to providers of essential and digital services.
Draft regulation
Cybersecurity Act
Pdf document67 kB
Draft explanatory memorandum
memorandum
Pdf document170 kB
Target groups affected by the scheme
providers of essential services within the energy, transportation, banking, financial market infrastructure, healthcare, drinking water and digital infrastructure sectors;
other vital providers: operators of primary flood defenses and organizations in the nuclear sector;
digital service providers: providers of online marketplaces, online search engines and cloud computing services;
the rijksoverheid.
Expected effects of the scheme
The bill is expected to lead to a higher level of network and information security, increase digital preparedness and resilience, and reduce the impact of cyber incidents.
Purpose of Consultation
Provide opportunity for comments on the implementation choices made, such as:
separation of the functions of assistance and supervision;
designation of the Minister of Security and Justice (National Cyber Security Center, NCSC) as the CSIRT for essential services and as the central point of contact;
designation of the line departments or DNB as competent authority (supervision and sanctions by the sectoral regulator);
global security standards (duties of care) in the law, possibly to be elaborated on sector by sector;
double reporting obligation for serious ICT incidents: reporting both to the competent authority and to the CSIRT, technically designed in such a way that the submitter can comply with both reporting obligations with one action if desired;
single reporting obligation for ICT incidents that could have serious consequences for designated vital providers: report only to NCSC;
implementation in one central law rather than sectoral laws of the line departments (such as the Financial Supervision Act and the Drinking Water Act).
On which parts of the regulation is a response requested
A response is possible on all parts. However, it is important to note that the obligations of the NIS Directive are fixed. A reaction is therefore particularly useful if it concerns the choices made in the bill to elaborate on those obligations.
Publication of reactions
Reactions are published during the course of the consultation. Only those responses are published that have been indicated, by the submitter, to be public. Before responses are published, they are checked for offensive or objectionable statements. This check may take several days.
