Reporting cybercrime (Wbni act)

Do you offer digital services or do you supply essential services? You need to take measures to protect your business from cybercrime. In case of a cyber security incident you must report this. This is regulated in the Act on the security of networks and information systems (Wet beveiliging netwerk- en informatiesystemen, Wbni), and in the Digital Operational Resilience Act (DORA). The Wbni is the Dutch implementation of the EU's NIS-directive.

When are you a digital services provider?

A Digital Service Provider (DSP), is a legal entity that supplies 1 or more of these services:

• electronic (online) marketplace
• cloud service
• search engine

As a DSP you are subject to the Wbni act (in Dutch) if you meet these criteria:

• Your company has its headquarters or a representation in the Netherlands.
• You have at least 50 employees.
• Your total assets or your yearly turnover amounts to over €10 million.

When are you a supplier of critical services?

You are considered a operator of criticall services if this service is vital to Dutch society, such as:

• gas production and distribution
• drinking water supply
• transport
• financial transactions

If you are considered part of the critical infrastructure the responsible ministry will let you know.

Duty of care: protection from cybercrime

As a Digital Service Provider or operator of critical services, you must ensure you have the right security measures and products to protect your company from cybercrime. For instance, protection against viruses, malware, and ransomware. You must take measures to prevent damage to networking and information systems by a cyber-attack. You need to monitor and test your measures. And you need to keep developing them in line with technological advances and new insights.

Cybersecurity for financial service providers (DORA)

Is your company a financial service provider or do you provide ICT services to financial institutions? If so, in addition to the Wbni act, your company must comply with the Digital Operational Resilience Act (DORA).

DORA applies to:

• financial institutions such as credit institutions, banks, payment services providers, insurance companies, electronic money institutions, and investment firms
• suppliers of ICT services to financial institutions

The Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, AFM) and the Dutch Central Bank (De Nederlandsche Bank, DNB) check whether you comply with the rules. For example, you must:

• have your ICT risk management in order
• have an ICT-related incident management process
• regularly test your company’s digital resilience
• know and manage the risks of ICT outsourcing

Do you have agreements with suppliers of ICT services for critical or important functions? If so, you must report these via the AFM Portal and via My DNB (in Dutch).

Duty to report cybercrime

Has your company encountered a cybersecurity incident? And does this incident have major consequences? Or are your ICT systems damaged to such an extent that you can no longer provide your services? You always must report this to the supervisory authorities and incident response teams. The authority you need to notify depends on your type of business:

• Digital Service Providers notify the Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, RDI) and the Computer Security Incident Response Team for DSP (CSIRT-DSP).
• Operators of essential services in Energy and Digital Infrastructure notify the RDI and the National Cyber Security Centre (NCSC).
• Financial service providers notify the RDI, the AFM trough the AFM Portal, and the DNB (in Dutch).