10 October 2013

Mandatory IT security breach notification imminent

Notifications for a breach of security or loss of integrity of vital IT systems will become mandatory. The duty to notify will be applicable to a wide range of sectors. Notifications must be made at the NCSC, but non-compliance cannot be punished with a fine. Providers must be aware of the requirements of the mandatory notifications in case of a breach.

The mandatory IT security breach notification will apply to any national or international provider of products or services, which will be designated by a general administrative order. The duty to notify will most likely apply to the energy, telecoms, finance and transport sectors.

The obligation to notify is triggered if the provider becomes aware of a breach of security or loss of integrity which has impacted or may impact the availability or reliability of its vital products or services. In case of a breach, the National Cyber Security Centre (“NCSC”) must be promptly notified. The NCSC is a public-private collaboration which focuses on an integrated approach to cyber security. The NCSC cannot impose a fine for non-compliance with the duty to notify, but the Minister of Security and Justice has the power to impose an order under pain of payment of a monetary penalty.

The IT security breach notification means an additional breach notification obligation for providers of vital IT systems. It does not set aside other applicable sector or data security breach notifications including, for example, general data security breach notifications mentioned in the article Proposal for mandatory data breach notification and penalties for not cooperating with Dutch DPA.