The Netherlands: Obligation to notify serious cybersecurity incidents might expose banks to new risks

A draft Dutch law will, once adopted, require mandatory notification of security breaches or loss of integrity of ICT systems that may have a significant impact on the availability or integrity of certain vital products or services (the Bill). The Bill will affect the financial services sector. The new law is expected to take effect in the second half of 2017. The absence of regulatory guidance, the involvement of multiple regulators and potential public exposure will create additional compliance and reputational risks.

The Bill will affect businesses operating in various industries that are considered vital to the proper functioning of Dutch society, including financial services, energy, telecoms and transportation. The list of organisations falling under the new notification obligation (so-called “operators of vital services”) is not finalised yet. The proposed Regulation establishing the list of vital services and operators of vital services (the Draft Regulation) was published for consultation on 18 April 2017. The proposed list specifically mentions financial institutions, including banks and intra-bank and retail payment operators.

Ahead of the EU

Certain banks and credit institutions will in any event fall under similar notification obligations pursuant to the EU Directive 2016/1148 on Security of Network and Information Systems (NIS Directive). The NIS Directive was adopted on 6 July 2016 with two main purposes: (i) enhancing crossborder cooperation in the EU in cases of cyber incidents and (ii) introducing cyber risk management and incident reporting obligations for operators of vital services. While the Dutch Bill will introduce reporting obligations only, the NIS Directive also requires EU Member States to empower the regulator to issue binding instructions to take appropriate and proportionate technical and organisational risk management measures. The NIS Directive must be implemented by summer 2018.

The Dutch Bill was introduced in anticipation of the NIS Directive and will be amended at a later stage to become its full implementing measure in the Netherlands. There is (as yet) no guidance on the exact obligations and no clear description of the organisations affected by the Bill. The Draft Regulation gives authority to the Dutch Central Bank (De Nederlandsche Bank or DNB) to determine on basis of quantitative criteria what financial institutions should qualify as operators of vital services.

Obligation to notify

The Bill provides that operators of vital services must notify a security breach or loss of integrity of ICT systems that affect or may affect the availability or reliability of their vital products or services. Notifications will be managed by the National Cyber Security Centre (NCSC), which operates under the Minister of Security and Justice. The Bill is intended to catch only those incidents that could potentially disrupt Dutch society.

Information may be shared

The Bill envisages that the NCSC will share information on submitted incidents with other government agencies and contains provisions relating to confidentiality and security of information sharing. For instance, confidential information traceable to an operator of vital services can in principle only be shared without the operator’s permission with designated computer crisis teams (CERTs) and Dutch intelligence services. However, in exceptional cases, the Bill permits the NCSC to share information on an incident with other organisations or even make it publicly available.

Overlapping notification requirements

The notification obligation in the Bill does not affect any other existing or potentially overlapping notification obligations. For example, security breaches related to personal data and covered by the Bill will need to be notified to both the NCSC and the Dutch Data Protection Authority. For sector specific notification obligations (eg notification of incidents that are part of normal supervisory practice in the financial services sector) the operator of vital services will need to notify both the NCSC and the sector-specific supervisory authority, eg DNB or the Authority for Financial Markets (AFM). The latest explanatory note to the Bill specifies that in such cases, the instructions of the sector-specific supervisory authority will prevail. However, it is silent on how to deal with overlapping or conflicting notification requirements or confidentiality rules.

More guidance for banks expected

We expect the European Central Bank (ECB) and the European Union Agency for Network and Information Security (ENISA) to provide guidance for banks concerning the obligations under the NIS Directive. Although the Dutch notification obligations are expected to take effect before such EU guidance is available, the national financial regulators DNB and AFM have not yet indicated whether they will be providing specific guidance on the new obligations.

Monitor developments and prepare for new obligations

The introduction of national notification requirements in anticipation of the implementation of EU rules, the absence of regulatory guidance, the involvement of multiple regulators and the potential public exposure will create additional compliance and reputational risks for affected operators of vital services. Banks and other financial institutions operating in the Netherlands should be aware of the new requirements, monitor whether they will be included in the list of operators of vital services and seek regulatory guidance. They should update their processes and policies in a timely manner to comply with the new obligations to notify and share information with the NCSC. In addition, they should align the new notification obligations with existing notification obligations to DNB, AFM and the general personal data breach notification to the Dutch Data Protection Authority. Finally, they should prepare to manage risks created by the future information exchange about incidents by the stakeholder authorities.

Other sectors and providers covered by the Bill

In addition to financial institutions, the Bill will apply to such sectors as energy, water management, drinking water, electronic communications, transportation, nuclear and to e-government services. Some of the vital operators are named directly by the Draft Regulation (eg Schiphol Airport) or by the explanatory memorandum (eg AMS-IX), the others will be specified by the ministries responsible for the above sectors. The Dutch government anticipates that the new obligations will cover approximately 60 Dutch organisations.

The consultation on the Draft Regulation is open until 16 May 2017 and can be accessed here (in Dutch).

Read also our article summarising the EU NIS Directive.

Authors: Peter van Eijsvoogel and Wanne Pemmelaar