The government has published additional security measures to be applied to providers of Dutch mobile telecom networks. The ministerial regulation on security and integrity of telecommunications, which went into consultation today, increases the resilience of these networks against current threats such as espionage or abuse. These harm Dutch society and economy.
The regulation lists five categories of measures that apply to critical parts of networks and directly connected parts. First is the secure configuration of technical equipment itself, such as automated and up-to-date protection of management workstations against malicious malware. Second category is the secure configuration of physical and virtual infrastructure, such as targeted encryption of critical data.
The third set of measures is the monitoring of technical infrastructure (monitoring), such as facilities that enable real-time detection of possible security incidents and resolution of vulnerabilities and incidents. Fourth component is security assurance on software and management services, such as requiring a telecom provider to impose similar strict security requirements on its suppliers by contract and the duty to monitor them. Finally, measures such as structural screening of and background checks on people who perform management work and have access to the infrastructure will apply.
The measures must be implemented by Oct. 1, 2022.
State Secretary Mona Keijzer (Economic Affairs and Climate): "Reliable mobile infrastructure has become the backbone of a well-functioning society and economy. With concrete security requirements for critical parts of these networks, we will strengthen this basis and take the step to ensure that our mobile networks are always safely and securely available everywhere. Critical components of those telecom networks should additionally only come from trusted suppliers."
In addition, the government has an option to possibly impose orders on current (three) or future providers of Dutch mobile telecom networks in the future. These may require them to exclude products or services from specified suppliers within critical parts of their networks.
A condition for a possible decision is that a supplier could use (part of) the Dutch telecom infrastructure and services for espionage, abuse or failure. Or such a party has close ties with or legal control by foreign governments or third parties such as companies and intelligence services, in accordance with the applicable General Administrative Order (Algemene Maatregel van Bestuur) (AMvB veiligheid en integriteit telecommunicatie).
The opportunities and risks of digitization have become more prominent than ever. Therefore, the Netherlands wants to make the most of the opportunities for economic growth and addressing societal challenges.
The telecommunications security and integrity regulation is now under consultation.
See: Update and progress report Dutch Digitalization Strategy 2020
See also: Dutch Digitalization Strategy 2020