New cybersecurity notification obligation for providers of vital infrastructure

01 January 2018

In the run-up to the full implementation of the EU Network and Information Security (NIS) Directive into Dutch law, the Netherlands adopted its first Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) in October 2017. On 1 January 2018, its provisions on the notification of cybersecurity incidents came into effect. This means that certain providers of vital infrastructure are obliged to notify the Dutch National Cyber Security Centre if and when they suffer a major security incident. Providers of vital infrastructure can be organisations and service providers in the energy, finance and transport sectors. The new obligation to report cybersecurity incidents shall be without prejudice to existing notification obligations, such as the personal data breach notification obligation under the Dutch Data Protection Act, and, as of 25 May 2018, the GDPR.