Providers of Dutch mobile telecom networks must implement additional security measures by Oct. 1, 2022. These include increased legal requirements to protect critical equipment and data, incident monitoring, management by suppliers and screening of personnel. In this way, the government wants to make these networks more resilient against threats such as espionage and abuse that could harm Dutch society and the economy.
Minister Stef Blok (Economic Affairs and Climate) published the requirements, which are contained in the Ministerial Regulation on Security and Integrity of Telecommunications, today.
"Companies and consumers in the Netherlands must be able to count on reliable and secure mobile telecom infrastructure always and everywhere. After all, society and the economy can only function if, for example, our data, financial traffic and communications are secure. These concrete security requirements, which providers must take within a year, strengthen this basis. Moreover, the measures are part of a broader Cabinet policy to make our digital infrastructure more resilient," the minister said.
The regulation lists five categories of measures for the critical components of mobile telecom networks and directly connected parts. One is the secure configuration of technical equipment itself, such as automated and up-to-date protection against malicious software. Second category is the secure setup of physical and virtual infrastructure, such as targeted encryption of critical data.
The third set of measures includes the monitoring (surveillance) of technical infrastructure, such as setting up continuous detection of any security incidents and resolving vulnerabilities and incidents. Fourth component is security assurance on software and management. A telecom provider can require its suppliers by contract to adopt and enforce similar stringent security requirements. Finally, structural screening and background checks will be required of employees who perform management work and have access to the infrastructure.
The ministerial regulation is one of the Cabinet's deployed actions to make mobile telecom networks more resilient to cyber threats. In addition, in April the cabinet imposed orders on the current (three) providers of Dutch mobile telecom networks. This requires them to exclude products or services from specified suppliers within critical parts of their networks.
