On July 6th the Dutch government stated that legislation will be established later this year that will require organizations in the following six vital sectors to notify the Dutch government about security breaches:
- transport (Schiphol airport, mainports Rotterdam)
- drinking water
- surface water management
The requirement will also apply to the financial sector and to the government itself. It is stated that the impact of disruption of service is large in each of these sectors, and that cascade-effects to other sectors can easily occur, making large-scale societal disruption a real risk.
The security breach notification requirement will be tuned to legislation and regulations at national and European levels. Helping prevent societal disruption will the primary concern. The National Cyber Security Center (NCSC) will offer help and advice to the organization or to the sector, intending to end the breach and limit effects of the breach that could also occur elsewhere. In case the crisis structure is scaled up, the NCSC can account for operational response within that structure. By publishing security advisories, the impact at third parties can be limited.
In order to act quickly and prevent possible societal disruption, the government seeks public-private partnership. In case of a threat of societal disruption, the government must be able to intervene. Therefore, the government gets increasing sectoral intervention possibilities at its disposal. This includes the authority to obtain information, the authority of administrative enforcement of designations and the authority to appoint an officer on behalf of the government.
With this legislation, the Dutch cabinet implements the motion Hennis-Plasschaert (VVD party) that emerged in the aftermath of the DigiNotar incident and asks for mandatory security breach notification for organizations involved in vital information systems.
- Press statement by the National Coordinator for Counterterrorism (NCTb) (July 6th 2012, in Dutch)
- Letter from Ministry of Security & Justice to Parliament (.pdf, July 6th 2012, in Dutch)