Getty Images/iStockphoto

Dutch businesses not yet implementing NIS Directive

Little urgency to comply with the Network and Information Systems Security Act, which seeks to protect the Netherlands’ vital infrastructure and digital services from cyber attack

The General Data Protection Regulation (GDPR) has received a lot of attention across Europe, but there is another law concerning cyber security in the Netherlands that is much less known – the Network and Information Systems Security Act.

It is a derivative of the European NIS Directive and came into force last November for Dutch companies. “Don’t wait until the last minute – start looking at how this law affects your organisation,” said security specialist Anne Klebsch at Applied Risk

The European NIS Directive seeks to ensure that European Union countries protect their vital infrastructure. “The big difference with the GDPR is that privacy legislation has been adopted centrally in Europe but applies to every member state,” said Klebsch. 

“The NIS, however, is a directive, whereby countries are free to apply the objectives of that directive through their own legislation. That means that not only can the rules vary from country to country, but the legislation is not implemented at the same pace, as was the case with the GDPR.”

Dennis ’t Jong, specialist inspector at the Dutch Telecom Agency, pointed out another difference: “GDPR is aimed at protecting the privacy of citizens, and the NIS at protecting the cyber resilience of organisations.”

The NIS Directive is the first cyber security legislation to be implemented at European level. Its guidelines say network and information systems are crucial for the maintenance of all kinds of vital services, such as energy, water supply and healthcare.

The Netherlands has anchored the NIS Directive in its Network and Information Systems Security Act, which aims to increase the country’s digital resilience. It focuses in particular on providers of vital national infrastructuree, central government and digital service providers.

“At this moment, the Netherlands is still in the exploratory phase,” said Klebsch, an adviser to various organisations in this field. “People are now mainly mapping out the various systems and potential risks. We are not talking about typical IT applications, but about industrial control systems.

“Also, it is not the most interesting subject for people to deal with, which means it is sometimes dismissed as just another security requirement that must be met. But it is important for companies to look into the law’s requirements and how they affect current ways of working. It is not a question of organisations implementing all the measures one by one, but of understanding how to secure their systems properly in order to increase their digital resilience.”

Read more about IT security regulations

As well as providers of vital infrastructure, the Dutch law also sets requirements for digital service providers – and that is a lot more complicated, said Michiel Steltman, spokesman for the Netherlands’ digital infrastructure sector. “The criteria are peculiar, to say the least,” he said.

Digital service providers are defined as suppliers of search engines, online marketplaces and cloud services with more than 50 full-time employees or more than €10m turnover. “It is a mystery why the EU has come to the conclusion that there will be few problems with data leaks at organisations with 49 employees, but that issues can suddenly arise for those with 50 employees,” said Steltman in a Dutch blog.

Steltman is also critical of the general wording of the law, which he said does not make it clear what exactly companies need to do.

’T Jong agreed, adding: “The law stipulates that digital service providers and suppliers of vital infrastructure must take ‘appropriate proportional technical and organisational measures’. Such an open standard sounds very nice indeed, but appropriate and proportionate measures both depend on many factors.”

Steltman is also bothered by the reporting procedure that applies when an incident occurs. In the event of an incident, an organisation must notify two government bodies, the Telecom Agency and the Computer Security Incident Response Team, which use different procedures. “Apparently, it was too difficult to find out how this could be coordinated via a one-stop-shop,” said Steltman.

No clear timeline

Klebsch said there is also no clear timeline for reporting, which makes it difficult for organisations to know what to do. “You are obliged to report an incident as quickly as possible, but there is no stated timescale, so it is difficult to know what ‘as quickly as possible’ actually means.”

In practice, said Klebsch, it is essential to first focus on repairing the failed service and to minimise the damage caused by the incident. “You can then make a report, and it is important that you do not withhold any information,” she said. “The idea behind this is that the government gains insight into the various incidents, so it can prepare better for future incidents.”

This knowledge can also be shared with other EU states. After all, this is also part of the NIS Directive – cooperation at European government level. By exchanging knowledge, other countries can protect themselves better against possible attacks.

“But it is still too early to say anything about that collaboration,” said Klebsch. “The member states must first establish individual legislation to implement the NIS Directive. Only then can we look to the next step, to collaborate and share information.”

Although the Netherlands is still in the exploratory phase and audits and inspections are not yet being carried out, it is important to stress that companies take action to comply with the regulations.

“Compliance simply takes time,” said Klebsch. “So don’t wait until the last minute, but start looking at the requirements and how they relate to your current ways of working. Consider assessments and checks now, because you don’t want to be surprised by an audit later.”

Read more on IT legislation and regulation