Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information systems (Wbni) for
Digital service providers
The Network and Information Systems Security Act (Wbni) will
enter into force shortly. The law applies to organizations that are
vital and to digital service providers. This document focuses
exclusively on the last category, the digital service providers.
This document consists of the following parts:
1 Introduction
2. Who is a digital service provider?
3. What does the Wbni say?
4. Frequently asked questions
1 Introduction
In order to make the Netherlands digitally safer, the
Security Network and Information Systems (WBNI) Act in
Operation. The law contains measures to increase digital resistance.
Organisations in vital sectors and digital Service providers are given a
reporting obligation of incidents Network and information systems and a
duty of care (to take Security measures in relation to their network of vital
Providers and information systems).
The Law Security Network-& Information Systems (WBNI)
The Security Network and Information Systems (WBNI) ACT is the
Dutch translation of the European Network and Information Security
directive (the NIB Directive).1 This directive is in mid 2016
and obliges all EU Member States to ensure that this directive is
national legislation; This is the Wbni in the Netherlands
Become.
The Security Network and Information Systems (WBNI) ACT applies
For vital providers, including the energy, financial and transport sectors.
Vital services are essential for the proper functioning of Dutch society and
Economy If the ICT systems of these services are Compromised or failed,
this could have very great consequences Provide a reliable service to
citizens and Companies.
In Addition To The vital providers, the WBNI also applies to digital service
providers. Although They are not considered vital, they are Important: Many
citizens/consumers and businesses are using depend on this service.
Therefore they are in The NIB directive. The Network and information
systems necessary to provide vital services or digital services must be
1
Directive (EU) 2016/1148 of 6 July 2016 laying down measures to ensure a high
common level of security of network and Information systems in the Union.
reliable and therefore must be well secured. The duty of care from the Wbni
should lead to the Of the good security measures by vital providers and
Digitaledienstverleners. Incidents occurring despite that duty of care
However, and which endanger this security should be reported to the
Government (the reporting obligation from the WBNI).
This document deals only with the consequences of the WBNI For digital
service providers. Digital Service providers are Providers of cloud services,
online search engines and online Marketplaces. They are also called Dsps,
or Digital Service Providers. General information on the law and For
providers of vital services can be found on the Website of the National
Cyber Security Centre https://www.
ncsc.nl/actueel/dossiers/wetgeving-cybersecurity.html
If There are any new developments or if questions and Feedback from
companies shows that some information needs have not yet been
foreseen, then additional Information is provided.
For good readability, the literal legal texts are not always included in this
document; Reference is made to the Relevant articles so that the legal texts
can always be Looked up.
2. Who is a digital service provider?
The European directive On Network and Information security (NIB) Who is a digital
service provider: Not every party that has a Digital service is automatically covered by
the Law Security Network and Information Systems (WBNI). There are All kinds of
digital services not covered by the regulations, such as Social media or web shops. AND
only digital service providers from A certain size can fall below the Wbni. Therefore
Here is first explained what is under a digital service provider Means. If you are a digital
service provider, then will have to be determined under which jurisdiction is your
company. This is relevant to Determine whether your company is under Dutch Law
(WBNI) or under the legislation of another EU Member State.This question of
jurisdiction is particularly important for companies Offering their services in several EU
Member States.
You can use the following diagram To determine whether your Company is a digital
service provider as referred to in the Wbni (steps 1, 2a and 2b). Should that be the case,
you can Plan to determine the jurisdiction of theApplication (steps 3a and 3b).
Step 1: Is my Company A
• Online Marketplace or
• Online Search engine or
• Online Cloud service provider?
No
yes
My Company is
NOT Digitaledienstverlener
My Company is NOT
Digitaledienstverlener
My Company is
a Digitaledienstverle
ner and falls Under
the Wbni
Step 3b:
• If you have a European head office in a Other EU Member
State, you fall under the legislation of that country.
• If You do not have a head office in an EU member , you
should have a representative in a EU Member
State: -Appoint a representative in The Netherlands, then.....
My Company is covered by the WBNI
Notes to Schedule 1
Step 1: Digital Service
Step 1: To Determine if you have one or more digital services
As referred to in the law, it should be considered whether your
Service (s) complies with the definition of "Online marketplace" or
"Cloud Services" or "Online search engines". These definitions
Detailed below.
Online Marketplace2
An Online marketplace is a website on which entrepreneurs or Consumer sales or
service agreements can be Close with (other) entrepreneurs.
Your organization falls below as:
• You as a platform or website facilitate sales between buyer and
Seller. It uses IT services from the platform. For example, Consider processing
Payments by the platform; The platform facilitates
In this way the conclusion of the agreement.
• The purchase is closed on the website of the market place
or on the website of the (selling) entrepreneur.
• There are three parties involved: the buyer, seller and the
Marketplace.
-Exception: It is not a question of web shops and comparison sites that are excluded.
An online marketplace can occur in any sector, such as retail, travel, sales of electronic
content (Appstores) and trading platforms for oil or energy. Online market places can be
both Business to Business (B-to-B) and Operate Business-to-Consumer (B-to-C) market.
On Page 8 There are some concrete examples of online Market Place.
Article 4, 17th Member and Recital No. 15 NIB Directive (EU) 2016/1148.
2
Online Search Engine3
An Online search engine is a digital service that users The possibility of conducting
searches in principle all Websites.
If you offer a search function on your website to only Within your website to search for
information, your organization is No "online search engine" as intended here.
Cloud Service Provider4
Cloud service providers provide a digital services that access Possible to create a
scalable and elastic pool of Computer capacity. Cloud Service providers deliver
Services that are accessible everywhere and anytime.
Most cloud services can be in three main categories Be subdivided: Software as a
Service (Saas), Platform as A Service (PaaS) and Infrastructure as a Service (IaaS).
These Fall Characteristics under the definition of cloud services such as described
above.
Software as a Service (SaaS): an "online" application that Web browser, place and time
independent, can be operated. For Example, a financial package, online office, etc.
Platform as a Service (PaaS): An "online, equipped" platform on which The user or
customer may run proprietary software services or Platforms that offer specific
functionality. Such as A "virtual PC with an operating system", an authentication
platform or a storage.
Infrastructure as a Service (IaaS): The virtual hardware layer in which the User or
customer own networks, storage, servers and workstations can create and manage. For
Example, virtual workstations, Data storage, network equipment. This allows the user or
Install customer own operating systems and configurations.
Article 4, 18th Member and Recital No. 16 NIB Directive (EU) 2016/1148.
3
Article 4, 19th Member and Recital No. 17 NIB Directive (EU) 2016/1148.
4
Exception:
Private Cloud services, for example cloud Within one organization are only used by that
organization, do not fall under the definition of cloud service provider.
Step 2a and Step 2b: Scope criteria number of employees and balance sheet
Total/annual turnover
The Wbni applies only to (medium) large enterprises and not For micro and small
enterprises. To determine whether a Enterprise micro or small is looked at the number
of Employees and Balance sheet total/annual turnover. You are a digital Service provider
if you employ 50 employees or more and/or the balance sheet total or annual turnover
exceeds EUR 10 million per Year. These criteria are explained Below.
Number OF Employees
If the number of employees is 50 or more, then you are not Micro and small business.
How should the number of employees Be calculated?
• The data for calculating the number of active Persons relate to the last closed financial
year.
• The number of persons employed corresponds to the number of Units of the Year
(AJE); i.e. the number of persons
That the whole year in question is full-time in the relevant undertaking or on behalf of
this undertaking shall Worked. The work of persons who do not have the whole year
Part-time work, irrespective of its duration, shall be Fractions of AJE expressed.
• The number of persons employed consists of:
A. the employees;
B. The persons working for this undertaking have a Have a subordinate relationship with
the National law with employees;
C. The owners-business managers;
D. The members who regularly have an activity in the company And the company's
financial advantages Enjoy.
• Pupils and students attending vocational training and Have a learning or vocational
training agreement, the Not counted in the number of persons employed. The duration
of Maternity and parental leave is not Included.
Balance Sheet Total or annual turnover
If your balance sheet total or annual turnover exceeds EUR 10 million fall under the law.
How should that be Calculated?
• The data for calculating the financial amounts Cover the last closed financial year.
From the date of closure of the accounts, They shall be Taken into account.
• The amount of the turnover is calculated excluding tax On Value added (VAT) and
other indirect rights or levies.
• In the case of newly established companies whose The first annual accounts has not
yet been approved, an estimate may Of the data are created.
Another focus on the size criteria:
• If your company has ties with other companies, for example by means of a holding
structure, then The question of the extent to which these other companies Should be
included in determining the number of Employees "or the" balance sheet total or
turnover ". The degree of Relationship with these other companies determines whether
the be considered as a single entity or as several independent undertakings. More
information about this connection and about the Mentioned Omvangscriteria you can
find this in:
• "European Commission Recommendation of 6 May 2003
Concerning the definition of small, medium-sized and micro-enterprises (2003/361/EC)
": Below is the link:
https://eur-lex.europa.eu/legal-content/NL/ TXT/?uri=CELEX%3A32003H0361
• The "User Guide to SME definition"5 , a publication of the European Commission6
. This Guide contains a comprehensive
Explanatory memorandum and a number of examples to
Companies.
5
The Guide deals with small, medium-sized and micro-enterprises (SMEs). This means
that in some places the guide will set the criteria for medium-sized Companies. The NIB
directive and Wbni do not apply to micro and small enterprises but to (medium) large
companies. Page 11 lists the thresholds applicable to the various categories.
6
"User Guide to SME definition", European Commission, Ref. Ares (2016) 956541 –
24/02/2016
Below the link:
https://www.rvo.nl/file/de-nieuwe-definitie-van-kmo of
https://publications.europa.eu/nl/publication-detail/-/publication/79c0ce87-f4dc-11e6-
8a35-01aa75ed71a1/language-nl (Available in multiple languages)
Step 3: Head Office in the Netherlands/representative Designate
• If you offer a digital service and one of the Two Omvangscriteria, then you are A digital
service provider. Then It should be determined Whether you fall under the Dutch Law
(jurisdiction) or under the NIB legislation of another EU Member State. This includes
Important to determine in which country you are reporting an incident Which supervisor
you are dealing with.
• To determine whether the Dutch law applies to you,
The following steps must be taken:
1. First Check whether you have a principal place of business in the A Member State of
the European Union. Do you Have your European Head office in the Netherlands, you fall
under the Wbni. If your European head office is in another EU Member State, you fall
under the legislation of that country.
2. If you do not have a head office in an EU Member State, For example, because your
head office in a European country is not part of the European Union, Then you need a
representative in an EU Member State to point out.
• Do you Choose to be a representative in the Netherlands, you fall under the Wbni.
• Do you Choose to have a representative in another EU Member State, you fall under the
legislation of the of that country.
Case Histories Online Marketplace
Casus Online Marketplace (Business to Consumer)
• A supermarket offers consumers the opportunity to Also To be able to do online
shopping. This Grocery Store Sells products of the own house brand but also of
Many other brands, but a supermarket is still No online marketplace as in the Law
Security Networks Information systems is meant. After All, the consumer Do not close
the buy with those other brands but with the Supermarket. There is a webshop Here.
• Suppose the supermarket decides to include products on behalf of Sell other sellers or
vendors: the supermarket will offer local products through its webshop; That Products
are not part of the usual stock Of the supermarket, as stated in the above mentioned
Brands.
• On its website, The supermarket indicates that local entrepreneurs are offered regional
products and that the Consumer finally closes the sale with the local entrepreneur. The
Supermarket performs a number of activities on behalf of the local Entrepreneurs, such
as the processing of the Payment transaction.
• The Supermarket Thus takes various activities of The local entrepreneur from the
hands and the provider of the Regional products will receive its share of the payment. It
may be That the local entrepreneur itself provides the products but that can also be the
grocery store. Only for selling the Local products, the supermarket is an online market
place, not For other activities.
• Incidentally, it is not just about selling products To go. Should the supermarket invent
the same construction But then for offering garden maintenance by a Gardener Then
there is also an online market place, Because a service (garden maintenance) is offered.
Why is the supermarket by selling regional products An online marketplace?
• There are 3 parties involved: the buyer (consumer), the online Market Place
(supermarket) and the seller (provider of Regional products);
• The purchase is concluded between a customer and a third party (local products
provider);
• The sale is closed on the website of the online marketplace (supermarket); It could
also have been on the website of The local entrepreneur may be;
• It uses information technology services from the Online marketplace (the supermarket
processes the payment transaction using ICT);
Casus Online Marketplace (Business to Business)
• An online marketplace through demand and supply of Work for Freelancers together. A
Self searches through the online Offer a mission and potential clients through the The
online platform commands for Freelancers.
• If the Self a suitable assignment with a client, then after mediation via the online
platform a Agreement between the self-employed and the Client.
Why is there an online marketplace?
• There are three parties involved: the Self (business), the Online marketplace
(mediation) and the other business (the client).
• The agreement is between ZZPer and the third party Closed, the company that seeks a
ZZP force.
• The Agreement is concluded via the website of the Mediator.
• ICT resources are used to supply supply and demand to Link each other.
3. What is in the Wbni?
Organisations covered by the Law Security Network-& Information Systems (WBNI) have
a duty and care obligation:
A. The obligation to report shall mean that incidents must be Be reported to the
regulator agency Telecom and CSIRT (Computer Security Incident Response Team) for
digital services. Both organisations are part of The Ministry of Economic Affairs and
Climate (EZK).
B. The duty of care implies that a digital service provider is adequately Take
organisational and technical measures In order to avoid risks to the security of their ICT
systems, Reduce the impact of incidents. This allows incidents to be avoided and the
effect be minimized.
Ad. A the notification of incidents
Incidents should be reported. But what is in this law An incident?
An incident
An incident is "any event with a detrimental effect on the Security of network and
information systems "7.
The security of Network & Information Systems is For availability, integrity,
confidentiality, and authenticity (GFCF) of network and information systems.
At the Security Should each incident be reported? No, not every incident has to Be
reported. You must determine whether the incident Consequences for your service,
because only those incidents should be reported. This includes the Number of users
that are disrupted by the service Affected or the consequences of an incident for
economic and Social activities. In European legislation, this is further
uitgewerkt8.
Threshold values apply to determine whether an incident should be Be reported. That
stand in the flowchart below Displayed.
Has an incident
significant Consequences?
There is an incident:
No
7
Article 4, 7th Member of Directive (EU) 2016/1148 of 6 July laying down measures for
a high common level of security of Network and information systems in the EU
8
Article 4, implementing Regulation (EU) 2018/151 of 30 January 2018 (this regulation
concerns only digital service providers)
For an impact on integrity, Authenticity
or confidentiality: Does the incident have
negative consequences For more than yes
100,000 users in The EU?
No
No
No
No
Notify an incident without delay to Telecom agency and to the CSIRT for digital service
providers.
• Telecom Agency (AT) is the supervisor for this Digital service providers. In The Wbni is
called the "competent Authority ". The task of Telecom agency is to monitor Compliance
with the law. This can be via www.agentschaptelecom.nl/wbni.
• The CSIRT for digital services has a different task; The CSIRT can give your company
advice if there is a Incident occurred. This mainly focuses on incident response in order
to reduce the economic and, if necessary, social damage of an incident. It may Other
digital service providers may also warn A certain type of incident occurs. It is not the job
CSIRT to check whether an organisation is committed to the Law.
• Telecom agency and the CSIRT for digital services are Both part of the Ministry of
Economic Affairs and Climate.
Ad. B. Duty of care – to take security measures
Digital service providers are obliged to provide appropriate and proportionate To take
organisational and technical measures to reduce the risks Security of their network and
information systems. Control. The measures will ensure, given the state of the
Technology, for a level of security that is tailored to the The risks that occur.9
The security of network and INFORMATIESYSTEMEN10 is about That the network and
information systems are resistant to Actions that enable the availability, integrity,
confidentiality and Authenticity (GFCF) of the stored, transmitted or processed Data
from such network and information systems is at risk Bring. This also applies to the
services provided through these network and Information systems are offered or
accessible.
The Beveiligingsmaatregelen11 refer to:
1. The security of systems and facilities;
2. Treatment of incidents;
3. Management of business continuity;
4. Monitoring (monitoring), auditing and testing;
5. Compliance with international standards.
The five security measures mentioned above are further Worked out in article 2 of the
Implementing Regulation (EU) 2018/151 of the European Commission of 30 January
2018. See the link below:
https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32018R0151
The security measures mainly focus on WHAT needs to be And not so much HOW that
should be done. For example, this regulation states that in relation to the The security of
systems and facilities measures be taken in relation to access controls for the network
and information systems. Or With respect Treatment of incidents that require detection
procedures to be be maintained and tested to ensure that deviating events are noticed
on time. How a Digital Service provider does not regulate this, is not prescribed.
9
Article 7, First Chamber, rules implementing directive (EU) 2016/1148 Law on Security
of Network and Information Systems (WBNI), No. 34883 A – amended proposal of Law,
29 May 2018.
10
Article 4, second paragraph NIB-directive (EU) 2016/1148
11
Article 2 security elements, implementing Regulation (EU) 2018/151 of 30 January
2018
Regulator Telecom Agency
The supervisor has the power to To be able to assess whether the security of the
Network-& Information systems is in order. This also means that You have to have
documentation so that the supervisor Can verify that your company is in compliance
with the security requirements Keeps. Telecom agency comes into view after an
incident or A presumption of a violation of the law.
As a supervisor, Telecom agency has a number of Resources at its disposal to maintain;
Particular:
• A binding designation may be given to the The digital service provider is obliged to
provide within a reasonable Take certain measures;
• There may be an expense under Bestuursdwang or an administrative fine
Be imposed.
4. Frequently Asked Questions
Question 1
How do I know if my company has to comply with this law?
The law applies to digital service providers. These are providers of cloud services,
search engines and online marketplaces and Only applies to organisations of a certain
size (in Turnover/Balance Sheet total or number of employees); Micro and Small
Companies are excluded. So there are criteria to determine Whether an organization is a
digital service provider as is the law Meant.
Question 2
What should I do if my company does not meet the criteria To fall under the law, but
possibly next year Be? Should I suddenly meet all obligations?
Currently your company may not be under the Law, for example because your company
is small. However Your company may be covered by the law in the future, For example,
because your company has grown, Omvangscriteria and therefore is a (medium) large
enterprise Become. To ensure some stability and security for companies Companies
should be offered two consecutive financial years Have the same status – or no
micro/Small business – to change status. See also page 14 of the User Guide SME.
Hereby the link: https://www.rvo.nl/file/The-new-definition-of-SME
Question 3
Why should incidents be in two instances Reported?
Incidents should be reported to the supervisor ("Competent authority") and the CSIRT
(Computer Security Incident Response Team) for digital services. The notifications to
these authorities each serve a different purpose.
Incidents should be reported to the supervisor Telecom agency. The supervisor may,
following Take action and check whether the digital service provider has adhered to the
law. It may be reported by the Incidents also gain insight into the sector (new) Risks. For
example, it appears that many incidents Be caused during maintenance work on the ICT
systems, the supervisor can provide digital service providers with Warn here to be extra
alert and advising to take precautions. The supervisor also plays a role in the
Prevention of incidents.
In addition, incidents should also be reported in the CSIRT for digital services. A CSIRT
stands for "Computer Security Incident Response Team (CSIRT) ". An incident (from a
Certain size) must be reported to the CSIRT. The CSIRT can provide advice and support.
This is aimed at Recovery. The CSIRT can also warn other companies and provide
information on risks and incidents, for example When a vulnerability has been detected
in certain software. The CSIRT should not be regarded as the ICT provider Your
organization will fix the problem. That will make you yourself or your ICT service
provider. What a CSIRT can offer to support and advice also depends on the cause and
the Possible impact of an incident, so that will be per situation Viewed. It is not the
CSIRT's job to check that A company has adhered to the law.
The Telecom agency and the CSIRT for digital services are covered by the Ministry of
Economic Affairs and climate.
Question 4
What is the obligation to report incidents?
Incidents, irrespective of the cause of a harmful effect Security of your ICT systems
should be Reported. However, not every incident with security implications of your ICT
systems are governed by the law; Thresholds are applied so that only incidents with
significant consequences Be reported. This means that small incidents with barely
Consequences do not have to be reported.
Question 5
If an incident occurs, it is usually not immediately Clear what's going on or how serious
it is/becomes. Then it is also not clear whether the incident is under the reporting
obligation United. Should it be reported?
If you have any doubts about the need to be notified, you can also contact With the
CSIRT and/or Telecom agency to make the situation to discuss. If you want to make a
notification, but do not yet have all the Necessary information, you can also use the
Additional information or withdraw the notification if the The incident is much smaller or
less severe than you Initially assessed.
Question 6
What does the duty of care entail?
The duty of care implies that a digital service provider must take organisational and
technical measures to reduce the risks Security of its network and information systems.
Control. The law mainly deals with what you need to regulate (security elements) but
does not write how to do that And at what level of security you need to do. That is your
Own responsibility. This means that you need to understand Potential risks to the
security of the Network and information systems. And measures ensure A level of
security tailored to the risks posed by the Occur. This includes, for example, the
systematic Management of your ICT systems and the management of Business
continuity.
Question 7
These rules also apply to my competitors in other EU countries?
Yes, the same threshold values apply in the other EU Member States For the reporting
obligation and the same security requirements. These threshold values and security
requirements are in a European Implementing regulation and which is in force in all
EU Member States.
Hereby the link to this implementing regulation (EU) 2018/151:
https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=OJ%3AC%3A2018%3A151%3AFUL
L