On July 1, the Radiocommunications Agency launched its Wbni self-test for digital service providers (DSPs). That test answers two questions for DSPs: do I fall under the Network and Information Systems Security Act and do I comply with the duty of care. The self-test helps make the Netherlands more digitally secure and reduce the consequences of cyber incidents. AT uses the test to identify general trends and developments in the sector. No individual company data are collected.
Digital service providers and providers of essential services are under the supervision of the Radiocommunications Agency under the Network and Information Systems Security Act (Wbni). To help companies understand whether they fall under the law, the Netherlands Radiocommunications Agency has developed a self-assessment tool. With this self-assessment tool, digital service providers can determine whether they fall under the Wbni. In addition, companies that complete the questions get a good indication of the extent to which their information security measures meet the objectives of the Wbni duty of care.
The law aims to make the Netherlands more digitally secure by increasing digital resilience and reducing the consequences of cyber incidents. The Wbni is the Dutch implementation of the European NIS Directive (2016/1148), supplemented by the NIS Implementing Regulation (2018/151). This law applies to "digital service providers" (Digital Service Provider, or DSP) such as cloud service providers, online marketplaces and online search engines. The Wbni also applies to companies designated by the government as 'essential services providers' (AEDs). These AEDs are vital to the continuity of Dutch society. These include, for example, energy companies.
The Radiocommunications Agency supervises companies subject to the Wbni. These companies are obliged to take "appropriate and proportionate" measures to prevent incidents (Duty of Care) and to report incidents with significant consequences (Duty to Report).
With the self-assessment, companies easily determine:
Whether they are a digital service provider and the Wbni duty of care and notification applies to the organization;
Whether a service disruption has significant implications - and where the organization must report it (under the Wbni);
Whether the security measures taken fit the security objectives of the Wbni;
Whether the organization is under the supervision of Agency Telecom.
In addition to each question, explanatory notes are provided. This explanation states which piece of legislation applies to the specific section (from the question). It also clearly explains what a digital service provider can do to comply with the legal requirements if the company falls under the Wbni.
