In May 2024, the Dutch government published the draft bill for the new Cybersecurity Act (Cyberbeveiligingswet – “CSA”) for consultation purposes. The CSA will implement Directive (EU) 2022/2555 (“NIS2 Directive”) into Dutch law. 

The NIS2 Directive brings important new cybersecurity obligations for organisations and companies in a broad range of sectors. This includes rules on governance and management liability, cybersecurity risk-management measures and incident reporting. As the health and research sectors are amongst the sectors regulated by the NIS2 Directive, these rules also impact many companies operating in the life sciences sector. 

The directive contains a minimum harmonisation approach which means that EU member states have room to introduce stricter cybersecurity rules in certain areas. Some member states have already indicated that they are planning to use that room. This includes the Netherlands. However, the CSA as such does not yet contain these stricter rules but refers to lower legislation that still needs to be drafted.  

It is already clear that the Netherlands will not be able to transpose the NIS2 Directive into Dutch law before 17 October 2024, as prescribed by the NIS2 Directive. The CSA is expected to enter into force in the course of 2025. 

Scope of the CSA

Entities are subject to the NIS2 Directive if they: 

1. Operate in one of the sectors and subsectors mentioned in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors); 
2. Qualify as a medium-sized or large enterprise as meant in Article 2 of the Annex to Recommendation 2003/361/EC^[1] and
3. Provide services or perform activities in the EU. 

Additionally, certain other entities that are considered to have a high security risk profile fall within scope of NIS2 regardless of their size.[2]

1. Depending on the criticality of the sector in which the entities operate and their size, the entities are divided in two categories: essential entities and important entities. All entities of the type listed in Annex I of the NIS2 Directive which exceed the ceilings for medium-sized enterprises as well as certain further entities shall be considered essential entities. Entities of the type listed in Annexes I or II which do not qualify as essential entities according to the previous rule shall be considered important entities. The difference between essential entities and important entities is relevant for the supervision and enforcement (see below for more details). 
2. With some exceptions, the CSA applies to the above entities as far as these entities are established in the Netherlands and provide services or perform activities in the Netherlands or another EU member state. This includes many organisations in the life sciences sector as the sector Health as well as the sectors Digital Infrastructure and ICT service management are classified as a Sector of High Criticality in Annex I of the NIS2 Directive and the sectors Manufacturing and Research are classified as an Other Critical Sector in Annex II of the NIS2 Directive. 

Cybersecurity Risk Management

The central obligation placed upon organisations and companies under the NIS2 and the CSA is to take “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”. This obligation is laid down in Article 21 NIS2 Directive and implemented in Article 23 CSA. 

These cybersecurity measures must be appropriate to the risks and be determined taking into account the state-of-the-art, the cost of implementation, and, where applicable, any relevant European and international standards. Additionally, the implemented measures should be proportionate with regards to the entity’s exposure to risks, its size, and the likelihood of occurrence and potential severity of incidents, which could result in economic or societal consequences.

Article 21(2) of the NIS2 Directive lists a series of essential measures that organisations must implement, at a minimum, to safeguard their network and information systems and the physical environments of those systems. These measures include drafting and implementing certain cybersecurity policies (e.g., related to incident handling and effectiveness assessment), establishing due processes for incident handling and business continuity, and securing the supply chain and organisation (e.g. through training and security measures such as multi-factor authentication). 

The CSA refers to secondary legislation to provide more specific details on those measures , which may vary based on sector and type of entity. It is expected that this will mean that measures will be required that guarantee a higher level of cybersecurity in certain sectors including the healthcare and life sciences sector. This secondary legislation can also be used to impose a requirement on essential and important entities to only use products and services that are certified under the NIS2 Directive. It is not yet clear if this means that organisations can comply with NIS2 by simply implementing security standards such as ISO27001 or NEN7510 (the Dutch security standard for the healthcare sector).  

Organisations should be aware that the cybersecurity obligation also means that they have to look at potential security risks in their supply chain. When determining which measures are appropriate to ensure supply chain security, organisations must consider the vulnerabilities of each supplier and service provider, as well as their overall quality of products and cybersecurity practices. If organisations find they do not comply, they must take measures to ensure compliance without undue delay. 

Governance Requirements 

Under the NIS2 Directive, management bodies of essential and important entities have an important role in establishing a strong cyber resilience culture and board members will be expected to lead by example when it comes to promoting cyber awareness.

To this end, Article 26 of the CSA which implements Article 20 NIS2 Directive stipulates (i) that the cyber security measures taken following the required risk assessment are subject to the approval of the board and (ii) that the board supervises the (implementation of the) measures. In addition, each board member must have demonstrable and up-to-date knowledge and skills to (a) identify risks to the security of network and information systems, (b) to be able to assess cybersecurity risk management measures, and (c) to be able to assess the impact of the risks and risk management measures on the services provided by the entity. This means that board members have to receive adequate training. 

Under the CSA, non-compliance with the obligations of (the members of) the board can lead to an administrative fine for the entity of up to EUR 1,000,000 and, in extreme cases, suspension for board members of essential organisations (see also enforcement) and personal liability.

Incident Reporting

Article 27 to 31 CSA implement the mandatory obligation to report significant incidents from Article 23 NIS2 Directive. Incidents are considered significant if (1) they have caused or are capable of causing severe operational disruptions or financial losses for the organisation, or (2) if they have affected or are capable of affecting individuals or legal entities through considerable material or non-material damage. Article 37 CSA provides a delegation basis with which the aforementioned parameters can be further operationalised in lower legislation, for example by introducing threshold values per sector, subsector or type of entity. 

Significant incidents have to be reported, without undue delay, to the competent cyber security incident response team (“CSIRT”) and the relevant competent supervisory authority. Although there is a double reporting obligation, the aim is to set up the technology in such a way that disseminating the necessary information requires only one action from the entity.

Pursuant to Article 28 to 31 CSA, entities must submit an early warning notification within 24 hours of becoming aware of the significant incident, followed by a material incident notification within 72 hours or earlier if possible. A final report should be submitted no later than a month after filing the incident notification, or if the incident is still ongoing, within a month after the incident has been handled by the organisation. 

Under Article 32 CSA, organisations can also be required to notify recipients of the service. This notification obligation applies in particular where the incident is likely to adversely affect the provision of the service, or where the recipients are potentially affected by a significant cyber threat caused by the incident.

Enforcement

The supervision and enforcement of the CSA will be in accordance with administrative law, as further detailed in Article 67 to 88 of the CSA. As prescribed by NIS2, essential entities are subject to an ex-ante and ex-post supervision regime in the CSA. Important entities, on the other hand, are only subject to ex post supervision.

The CSA will be enforced by several supervisory authorities. Which authorities are competent, will differ per sector and depend on the competent ministry. For the health sector, the Dutch Inspectorate for Public Health and Youth (Ministry of Health, Wellbeing and Sport) will be the competent authority. For a number of other sectors, this will be the Dutch Authority for Digital Infrastructure (Ministry of Economic Affairs and Climate).

To enable competent authorities to perform their supervisory duties effectively, they have been granted a range of powers, including on-site inspections, off-site supervision, and access to certain pieces of information or compliance-related evidence. For essential entities, the authorities may exercise these powers at any time, even in the absence of any indication of an infringement. Essential entities may, for instance, be subjected to random checks or ad hoc audits. For important entities, however, such powers may only be utilised when there is evidence, indication, or information of an alleged infringement (only "ex-post"). 

When an infringement is detected, authorities have access to wide array of non-monetary enforcement powers, such as issuing warnings, adopting binding instructions, and ordering the entity concerned to publicise certain aspects of the infringement. Authorities possess more options when dealing with essential entities; they may for example designate a monitoring officer to supervise the entity's compliance with the NIS2 obligations for a specified period and report their findings to the authority and to the board.

If the measures imposed on essential entities are found to be ineffective, authorities may set a deadline for compliance and, where necessary, temporarily suspend authorisations or certifications that are required for the entity’s services. The competent authority may even temporarily prohibit natural persons with managerial responsibilities at the level of a CEO or legal representative from exercising their managerial functions within the entity. Such powers do not exist with regards to important entities.

Entities, both essential and important, may also face fines for infringements of the cybersecurity and incident reporting obligations by the competent authority. Under the CSA, as under NIS2, maximum fines for essential entities can be up to EUR 10 million or 2% of the total worldwide annual turnover (whichever is higher), and EUR 7 million or 1.4% of the total worldwide annual turnover (whichever is higher) for important entities. 

Next Steps 

The draft CSA was open for consultation up until 1 July 2024. A quick glance at the number of consultations and the justification for some of them suggests that the legislative lawyers still have work to do. The Dutch government has already confirmed that the implementation deadline of 17 October 2024 will not be met. The government instead expects the CSA to enter into force in Q2 or Q3 2025. 

Even though this is still some time away, the Dutch government is encouraging entities to start their preparations as soon as possible. Of course, it does not help that there is no complete clarity yet on what is needed to become compliant with NIS2, both in the Netherlands and other member states. For that, we have to wait for further regulations both on the EU and the national level which may still be some time away. 

Nevertheless, organisations can already take a lot of steps to create a baseline for their compliance with NIS2 and we believe that it is crucial that they do so as it can easily take several months to implement the required technical, organisational and contractual measures to comply with the new cyber security rules. This is especially true for life sciences organisations with a global presence, as they will likely need to comply in various EU member states, depending on their activities in these member states. Some of these member states have already transposed NIS2 into their national laws and are ready to go on 18 October 2024.[3]

References

[1] The category of medium-sized enterprises is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. See Article 2 of the Annex to Recommendation 2003/361/EC, available under https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32003H0361&from=EN. 

[2] This includes entities providing domain name registration services, trust service providers and providers of public electronic communication networks or of publicly available electronic communications services and other entities identified by Member States following certain criteria. 

[3] For an overview of the implementation of NIS2 in the EU member states, please refer to our NIS2 implementation tracker on https://www.twobirds.com/en/trending-topics/cybersecurity/nisd-tracker.