In such an event, it is important that the government can proceed quickly in order to support and guarantee the availability of services that are vital to society and thus prevent or limit social disruption. This is incorporated within a legislative proposal that Minister Opstelten, from Security and Justice, has submitted to a range of bodies, such as the VNO-NCW, Nederland ICT and the Dutch Federation of Banks, in order to obtain recommendations; the document has also been published for internet consultation.
The reporting obligation will apply to organisations in the following sectors: electricity, gas, drinking water, telecoms, surface water management bodies, transport (main ports of Rotterdam and Schiphol), finance and (state) government. Within all of these sectors, reporting applies to elements of vital infrastructure in the Netherlands, the breakdown of which would directly or indirectly lead to social disruption.
Obliging these vital organisations to report any ICT breaches enables the NCSC to estimate the risks for society and provide support to the organisation concerned. Moreover, the NCSC is thus able to warn and advise any other relevant, vital organisations. The support and advice provided to vital organisations, with the aim of preventing or limiting social disruption, is central to the reporting obligation to the NCSC. Any reporting must take place in complete confidence in order to limit vulnerability both now and in the future. The reporting obligation fits within the broader framework of the public/private partnership that aims to realise cyber security within (state) government and vital sectors.
With this legislation, the cabinet is implementing the Hennis-Plasschaert motion which demands a reporting obligation for security breaches for organisations involved with information systems that are vital for society.