13 February 2023

How the Netherlands is better protected by the NIS2 Directive

With the national implementation of the NIS2 Directive, the Netherlands is better protected against cyber attacks . And an excellent opportunity to also properly embed the security of our bridges, factories, rail links and hospitals (so-called Operational Technology), observes Hague advisor Pieter Hanson.

The implementation of the NIS2 directive is timely. In recent years, the cyber security threat has continued to increase. In 2022, the number of cyber attacks in the Netherlands increased by 55% from a year earlier. Almost half of our companies have faced cyber threats. On a global level, the picture is even more alarming: every 11 seconds a company falls victim to ransomware. The total damage now amounts to 5.5 trillion euros per year.

Stricter measures for all

As early as December 2020, this worsening threat picture was reason for the European Commission to act and replace the existing NIS (Network and Information Systems) Directive with a modernized version. With the introduction of this new NIS2 directive, the scope of application will be broader and rules for the security of digital services will also apply to decentralized authorities. This means that about four thousand institutions in the Netherlands will have to take stricter measures to deal with cybersecurity risks. It also obliges national authorities to monitor and enforce compliance with the rules from NIS2 much more strictly.

In terms of expanding the scope, it looks in particular at sectors that are critical to society, our economy and democracy. These include energy, transportation, drinking water, wastewater, digital infrastructure, chemicals, food, manufacturing, postal and courier services, food, waste management, space (including satellites), government services and financial market institutions. These sectors – as well as medium and large enterprises – will be subject to more stringent security and reporting requirements and tougher security regulations. Parties that do not have their cybersecurity sufficiently in order can expect higher fines, rising to at least 10 million euros or two percent of global turnover.

What does this look like in practice?

The final texts of the NIS2 directive went to the 27 member states late last year, which have a total of 24 months to transpose the new rules into national law. Currently – and in the coming months – Dutch ministries are working hard to get this done. In practice, this means amending the Wbni (Network and Information Systems Security Act). Talks with cybersecurity coalitions are taking place, a public consultation and an information campaign are planned, and interdepartmental working groups have been set up, with the ministries of EZK, Defense, I&W and J&V in particular taking the lead. In the meantime, the Telecommunications Agency, where cyber incidents will soon have to be reported, has already renamed its own name to Rijksinspectie Digitale Infrastructuur (RDI).

Not only IT but also OT security

The amendment of the Wbni is a perfect opportunity to bring cybersecurity to the heart of important organizations. In addition, it provides an opportunity to bring more balance to the relationship between IT and OT. Cybersecurity is often about information technology (IT) and protecting privacy and data, but equally important is protecting strategic objects and critical systems, so-called operational technology (OT, in abbreviation).

Even in the Netherlands, billions of devices, buildings, machines and facilities are now connected to the Internet. Think of elevator systems in a hospital, the railroad, all kinds of bridges and waterworks, power plants, traffic control and factories. The jamming of these kinds of systems has a huge (disruptive) impact on, for example, our manufacturing industry, healthcare, energy supply, all kinds of public/vital infrastructure and food production. Also because these types of facilities – unlike an IT system – cannot simply be shut down (longer) for a virus check, update or a repair.

Disastrous consequences

As with IT, the threat picture in OT is also increasing. The study The State of Industrial Cybersecurity shows that 89% of electric, oil, gas and manufacturing companies experienced cyber attacks affecting production and energy supply in 2021. A huge risk for anyone who realizes that an average OT attack causes €2.8 billion in damage and that it takes an average of 200 days for affected companies and institutions to realize that a digital breach has occurred.

At such a time, consequences may already be incalculable. For example, in 2021, a water treatment plant in Florida was taken over by hackers, after which they gained control over the chemical composition of the water. Their entrance: a default password that had never been changed. Fortunately, the hack was foiled by a very observant employee.

But unfortunately that did not happen in the devastating Solarwinds attack that hit numerous U.S. government agencies, including the Pentagon and the Treasury Department. Nor when hackers succeeded in shutting down the Colonial Pipeline company, leaving millions of residents on the U.S. East Coast facing fuel shortages. Cyber calamities that we in the Netherlands would rather avoid.

Want to know more about cybersecurity and the national implementation of the NIS2 directive? Please contact Pieter Hanson. Pieter Hanson.

Receive Hague updates

Want to know more about defense and technology? Sign up for our corporate affairs newsletter and receive the latest updates and blogs from our experts.

Share this resource

Also interesting for you

Hague corporate affairs logo

Receive our latest insights

Or follow us