Netherlands
12
procedures and measures that mitigate security risks of network and information systems and
prevent incidents. In the case of a threatened or actual incident, notication must be made
to the relevant Computer Security Incident Response Team (CSIRT), which is the National
Cybersecurity Institute for essential service providers and the CSIRT-DSP for digital service
providers. In December 2020, the European Commission launched its EU Cybersecurity
Strategy for the Digital Decade. A key legal development is the revised Directive on Network
and Information Systems (the NIS Directive). e proposal addresses the deciencies of
the current NIS Directive and future-proofs it. e new NIS Directive will include new
sectors and classify entities as essential (for the sectors of energy, transport, banking, nancial
market infrastructures, health, drinking water, waste water, digital infrastructure, public
administration and space), or important (for the sectors of postal and courier services, waste
management, manufacture, production and distribution of chemicals, food production,
processing and distribution, manufacturing and digital providers).
All medium and large enterprises (as dened under EU law) that operate within these
sectors will fall within the scope of the revised Directive. Requirements are introduced that
require management of in-scope entities to supervise security risk management measures and
to set up security trainings. e new NIS Directive further expands reporting obligations and
harmonised administrative nes up to the higher of €10 million or 2 per cent of the total
worldwide annual turnover.
e National Cybersecurity Institute frequently publishes White Papers and guidance
with respect to security measures. In cooperation with a Dutch university, the National Cyber
Security Centre developed the ‘Cyber Cube Method’, a framework that combines European
Union Agency for Cybersecurity (ENISA), National Institute of Standards and Technology
and George Mason University requirements to identify the required competencies of
Security Operations Centers and CSIRT personnel based on the services oered by the
relevant organisation.
e appointment of a chief information security ocer and policies regarding internal
reporting lines are in some cases mandatory based on sector-specic rules, such as the
Financial Supervision Act and ENISA guidelines for digital service providers. e Dutch
Corporate Governance Code, applicable to Dutch listed companies on a ‘comply-or-explain’
basis, requires the management and supervisory boards to have sucient expertise to identify
opportunities and risks that may be associated with innovations in business models and
technologies in a timely manner, and to implement adequate risk-management policies. In its
report on the nancial year 2018, the Monitoring Committee Corporate Governance Code
identied that most companies view cybersecurity as an operational risk and urge companies
to (also) consider this risk in the context of long-term value creation of the company, which
is one of the basic principles of the Corporate Governance Code.
A notable public initiative that we noted last year is the Dutch Institute for Vulnerability
Disclosure (DIVD), an organisation of information security experts committed to reporting
vulnerabilities they nd in digital systems to people who can x them. is institute played
a key preventive and reactionary role in identifying the vulnerabilities that were used for
the sophisticated Kaseya attack that took the world by storm: DIVD was in a coordinated
vulnerability disclosure process with Kaseya, which was working on a patch. Some of these
vulnerabilities were ultimately used in the Kaseya attack.
24
24 https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/.