Dutch businesses not yet implementing NIS Directive

The General Data Protection Regulation (GDPR) has received a lot of attention across Europe, but there is another law concerning cyber security in the Netherlands that is much less known – the Network and Information Systems Security Act.

It is a derivative of the European NIS Directive and came into force last November for Dutch companies. “Don’t wait until the last minute – start looking at how this law affects your organisation,” said security specialist Anne Klebsch at Applied Risk. 

The European NIS Directive seeks to ensure that European Union countries protect their vital infrastructure. “The big difference with the GDPR is that privacy legislation has been adopted centrally in Europe but applies to every member state,” said Klebsch. 

“The NIS, however, is a directive, whereby countries are free to apply the objectives of that directive through their own legislation. That means that not only can the rules vary from country to country, but the legislation is not implemented at the same pace, as was the case with the GDPR.”

Dennis ’t Jong, specialist inspector at the Dutch Telecom Agency, pointed out another difference: “GDPR is aimed at protecting the privacy of citizens, and the NIS at protecting the cyber resilience of organisations.”

The NIS Directive is the first cyber security legislation to be implemented at European level. Its guidelines say network and information systems are crucial for the maintenance of all kinds of vital services, such as energy, water supply and healthcare.

The Netherlands has anchored the NIS Directive in its Network and Information Systems Security Act, which aims to increase the country’s digital resilience. It focuses in particular on providers of vital national infrastructuree, central government and digital service providers.

“At this moment, the Netherlands is still in the exploratory phase,” said Klebsch, an adviser to various organisations in this field. “People are now mainly mapping out the various systems and potential risks. We are not talking about typical IT applications, but about industrial control systems.

“Also, it is not the most interesting subject for people to deal with, which means it is sometimes dismissed as just another security requirement that must be met. But it is important for companies to look into the law’s requirements and how they affect current ways of working. It is not a question of organisations implementing all the measures one by one, but of understanding how to secure their systems properly in order to increase their digital resilience.”

As well as providers of vital infrastructure, the Dutch law also sets requirements for digital service providers – and that is a lot more complicated, said Michiel Steltman, spokesman for the Netherlands’ digital infrastructure sector. “The criteria are peculiar, to say the least,” he said.

Digital service providers are defined as suppliers of search engines, online marketplaces and cloud services with more than 50 full-time employees or more than €10m turnover. “It is a mystery why the EU has come to the conclusion that there will be few problems with data leaks at organisations with 49 employees, but that issues can suddenly arise for those with 50 employees,” said Steltman in a Dutch blog.

Steltman is also critical of the general wording of the law, which he said does not make it clear what exactly companies need to do.

’T Jong agreed, adding: “The law stipulates that digital service providers and suppliers of vital infrastructure must take ‘appropriate proportional technical and organisational measures’. Such an open standard sounds very nice indeed, but appropriate and proportionate measures both depend on many factors.”

Steltman is also bothered by the reporting procedure that applies when an incident occurs. In the event of an incident, an organisation must notify two government bodies, the Telecom Agency and the Computer Security Incident Response Team, which use different procedures. “Apparently, it was too difficult to find out how this could be coordinated via a one-stop-shop,” said Steltman.