In a letter to the Minister of J&V and the Secretary of State for Digitalization, VNG shares its feedback on the General Measures of Administration (AMvB) associated with the Cybersecurity Act (Cbw), the national translation of the NIS2 Directive, and the Critical Entity Resilience Act (Wwke).
Read the full letter (pdf, 406 kB)
In order to properly prepare municipalities and other co-governments for the introduction of the Cbw and Wwke and to clarify the impact on their organization, VNG is asking the minister for clarification on some specific points.
Our concerns are about duty of care, training, governance and reporting:
Risk-based information security requires risk-based oversight.
Supervision must be specific, measurable, acceptable, realistic and time-bound.
Municipalities face staffing and financial challenges; the state provides support.
The Implementability Test for Decentralized Governments should provide insight into the implementation costs of the Cbw.
The Cybersecurity Decree (Cbb) defines when a trainer is qualified.
Municipalities can organize the training themselves.
CIO Rijk is developing a training syllabus with input from fellow governments.
The Cbw retains the existing liability rules for government agencies.
Criteria for significant incidents and disruptions follow the primary purpose of the NIS2 and CER guidelines without overloading entities.
Proportional thresholds for mandatory reporting are set in the ministerial regulation.
The impact determines whether an incident is reportable.
Municipalities are given adequate time for implementation, as the criteria are still unknown.
VNG trusts that the minister will include these points in the final versions of the Orders in Council. We would like to continue the cooperation with the minister around a good implementation of the Cbw and Wwke, in order to achieve a digitally safe and resilient government.
