On Tuesday, the Senate adopted the proposal for the Data Processing and Cybersecurity Reporting Act. Part of this is a reporting obligation for ICT breaches at providers of vital infrastructure.
On Tuesday, the Senate not only adopted the ‘tapping law’, but also rejected the proposal for the Data Processing Act and the Cyber Security Reporting Obligation as a hammer piece. It is not known when the law can come into effect, but the NCSC, which is charged with providing assistance with reports of ICT breaches, expects this to be the case by the end of 2017.
The notification obligation will apply to providers of vital infrastructure, such as energy network operators, drinking water companies, telecom companies, banks and Rijkswaterstaat. In addition, it concerns specific infringements, such as the intrusion of important industrial management systems. For example, a DDoS attack does not fall under the reporting obligation.
Companies must report this to the State Secretary for Security and Justice, after which the National Cyber Security Center will get to work. The bill also regulates the processing of data relating to internet security by the NCSC.