As we reported last month, the NIS Directive is expected to enter into force in August 2016. Member states will then have 21 months to transpose the NIS Directive into their national laws. The NIS Directive applies to two categories of market players: operators of essential services and key digital content providers. The member states will have six additional months to identify the relevant operators in the sectors defined in Annex II of the NIS Directive. These include the energy, banking, financial market infrastructure, drinking water supply, transportation, healthcare and digital infrastructure sectors. Relevant operators and providers will be required to: take appropriate technical and organisational measures to prevent risks of network and information incidents; ensure the security of network and information systems; and notify serious cyber incidents or loss of integrity of vital electronic information systems to competent supervisory authorities.
This mandatory notification of serious cybersecurity incidents to supervisory authorities will most likely be imposed by the Dutch Cybersecurity Breach Notification Bill as early as the end of 2016 – early 2017. As under the NIS Directive, further regulation will identify specific businesses that meet the “vital provider” definition under the Bill. The Dutch government recently issued a memorandum regarding the Bill that includes an updated list of providers, products and services that will be used by the Dutch government for identifying vital providers. This list is shorter than the earlier version proposed in May 2015 and currently does not include ICT or telecom service providers, payment services or large-scale processing of chemicals. However, the government indicated that not all relevant sectors are currently on the list but will be added at the later stage.
We recommend that businesses operating in the relevant industries closely monitor the national implementation measures by the member states, as other countries may take the Dutch approach in early implementation. We also suggest timely adopting appropriate cybersecurity policies and implementing risk-based incident response procedures.