Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Netherlands: First Cybersecurity Legislation Submitted to Lower House

(Feb. 22, 2016) On January 21, 2016, the Dutch State Secretary for Security and Justice, Klaas Dijkhoff, submitted draft legislation on cybersecurity, the first of its kind, to the Dutch House of Representatives for consultation. (First Legislative Bill on Cyber Security to the House of Representatives, GOVERNMENT.NL (Jan. 21, 2016).) The legislation introduces the obligation, on the part of providers of products or services whose availability or reliability is vital to Dutch society, to report major offenses involving the use of information and communications technology (ICT) to the Minister of Security and Justice, via the Ministry’s National Cyber Security Centre (NCSC). (Id.; Wet gegevensverwerking en meldplicht cybersecurity [Law on Data Processing and Notification Obligation for Cybersecurity] (published Jan. 22, 2015, for consultation until Mar. 6, 2015), OVERHEID.NL.)  The primary aim of the notification requirement is to enable the NCSC to assess the risks of ICT infringement and to provide assistance to providers affected by an infringement.  (Wet gegevensverwerking en meldplicht cybersecurity, supra.)

The reporting obligation will apply to organizations in the sectors of electricity and gas, nuclear energy, drinking water, telecommunications, transport (e.g., the port of Rotterdam, Schiphol airport, the Netherlands Air Traffic Control), finance, and government (including the primary structures for water control). The date of application of the new obligation is yet to be determined.  (Id.; First Legislative Bill on Cyber Security to the House of Representatives, supra.)  According to the Ministry, “[t]hese sectors are part of the vital infrastructure of the Netherlands” and “[f]ailure could lead directly or indirectly to social disruption.”  (First Legislative Bill on Cyber Security to the House of Representatives, supra.)

The Ministry contends that by making it mandatory under the law for such organizations to report IT-related violations, with only a modest increase in administrative costs for the affected vendor, “the NCSC can not only estimate the risks for society but can also provide assistance to the affected organization[, … enabling] the NCSC to warn and to make recommendations to other essential organisations.” (Id.; Wet gegevensverwerking en meldplicht cybersecurity, supra.) The Ministry stated that the confidentiality of reports of IT incidents and vulnerabilities will be guaranteed.  (First Legislative Bill on Cyber Security to the House of Representatives, supra.)

The legislation also prescribes rules on the processing of data by the Minister of Security and Justice for cyber security-related tasks, with a view to strengthening the legal basis of the work of the NCSC and clarifying its role in providing confidential information to third parties. (Id.; Wet gegevensverwerking en meldplicht cybersecurity, supra.)

An earlier draft had been submitted for legislative comment in 2013. (Wet gegevensverwerking en meldplicht cybersecurity, supra; Wet melding inbreuken elektronische informatiesystemen [Law on Reporting Breaches of Electronic Information Systems]) (published July 22, 2013, end of consultation Sept. 17, 2013), OVERHEID.NL.)  Partly in response to the comments received at that time, the Ministry decided to expand the legislation to include rules for the NCSC on processing of personal data and providing confidential information to third parties.  (Wet gegevensverwerking en meldplicht cybersecurity, supra.)