Netherlands to Establish Mandatory Breach Notification

Wednesday, July 11, 2012

Matthijs R. Koot


In 2012, Netherlands Will Establish Mandatory Breach Notification for Vital Sectors

On July 6th the Dutch government stated that legislation will be established later this year that will require organizations in the following six vital sectors to notify the Dutch government about security breaches:

  • electricity
  • gas
  • telecom
  • transport (Schiphol airport, mainports Rotterdam)
  • drinking water
  • surface water management

The requirement will also apply to the financial sector and to the government itself. It is stated that the impact of disruption of service is large in each of these sectors, and that cascade-effects to other sectors can easily occur, making large-scale societal disruption a real risk.

The security breach notification requirement will be tuned to legislation and regulations at national and European levels. Helping prevent societal disruption is the primary concern.

The National Cyber Security Center (NCSC) will offer help and advice to the organization or to the sector, intending to end the breach and limit effects of the breach that could also occur elsewhere.

In case the crisis structure is scaled up,  the NCSC can account for operational response within that structure. By publishing security advisories, the impact at third parties can be limited.

In order to act quickly and prevent possible societal disruption, the government seeks public-private partnership. In case of a threat of societal disruption, the government must be able to intervene.

Therefore, the government gets increasing sectoral intervention possibilities at its disposal. This includes the authority to obtain information, the authority of administrative enforcement of designations and the authority to appoint an officer on behalf of the government.

With this legislation, the Dutch cabinet implements the motion Hennis-Plasschaert  (VVD party) that emerged after the DigiNotar incident and asks for mandatory security breach notification for organizations involved in vital information systems.


Possibly Related Articles:
Information Security
breaches Government Regulation legislation Mandatory Reporting Netherlands NCSC Europe
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.