News item | 22-06-2022 | 16:10
Better secured network and information systems and a reporting obligation for serious cyber incidents should significantly increase digital security in the European Union (EU). The main players in the food sector (industrial food production and distribution such as larger supermarket chains), but also parties in the chemical and manufacturing industry, waste processing, postal and courier services and data centers must take appropriate cyber measures from mid-2024. The EU Member States and the European Parliament today reached a political agreement on the revision of the so-called EU Network and Information Security Directive (NIB2). The Netherlands has been committed to appropriate European agreements in this area for years.
Minister Dilan Yeşilgöz-Zegerius (Justice and Security) states that cyber incidents do not stop at national borders: “We are increasingly dependent on digital processes, especially now that we are increasingly working from home since corona. In addition, we see a growing digital threat from both criminals and state actors that, with a war on Europe’s eastern border, will not abate for the foreseeable future. It is therefore now necessary to take the next step to increase the level of cybersecurity in the EU. This prevents digital incidents from disrupting our society.”
Minister Micky Adriaansen (Economic Affairs and Climate): “We have to be alert to the risks of cyber attacks. The impact can be significant, such as empty shelves in stores or industrial production failure. Organizing digital security remains the responsibility of companies and consumers. But with this legislation, we can take a step to ensure that the level of cybersecurity is raised among medium-sized and large parties in more important sectors.”
Improving supply chain cybersecurity and incident handling
Under the current directive, providers of essential services (such as banks, drinking water, energy) and digital parties (such as cloud services, online marketplaces) have already been designated by the central government to take measures for their digital security and to report serious cyber incidents. This is also supervised. The NCSC (National Cyber Security Center, Ministry of JenV) provides assistance and advice to the essential services and the CSIRT DSP (Computer Security Incident Response Team, Ministry of Economic Affairs) does this for the relevant digital service providers.
The number of sectors will be expanded significantly from mid-2024. The revised NIB2 guideline then has two categories: essential providers and important providers. Supervision will soon be proactive at the essential providers, mainly parties from Dutch vital sectors. The major providers are monitored afterwards if there are indications that an incident has occurred. These are mainly (medium) large parties, where disruption will not have very serious social or economic consequences. In addition to the notification obligation, all providers that will fall under the revised directive must also take security measures; the so-called duty of care. This involves, among other things, increasing the security of their supply chain and arranging the way in which cyber incidents are handled.
After a vote in the European Parliament, the directive is expected to be published in the autumn of this year and can then be transposed into national law before mid-2024.