The European Union adopted the Network and Information Security Directive (NIS2 Directive) in late 2022, with the aim of strengthening the digital and economic resilience of member states. This directive is currently being transposed into the Dutch Cyber Security Act (Cbw). Wouter Scherpenisse, PhD candidate in the field of cybersecurity, and Sascha van Schendel, Assistant Professor Data Protection & Cybersecurity, both affiliated with the Erasmus School of Law, have written a comprehensive response to the Cbw. In it, they discuss the legal and digital implications of the legislative proposal and make suggestions for further refinement.
Scherpenisse and Van Schendel stress the importance of a clear scope of the law, with a particular focus on educational institutions such as universities. They argue that universities should be identified as key entities because of their role as a source of sensitive information and their vulnerability to cyber attacks. This is substantiated by the increasing digital dependence of educational institutions, especially after the COVID-19 pandemic. They also point to the broader societal function of universities and the importance of cyber resilience knowledge within them.
In addition, they ask for clarification on the status of government entities conducting activities in the areas of national security, public safety, defence or law enforcement. Although these entities are excluded from the Cbw, Scherpenisse and Van Schendel stress their crucial role within national cybersecurity policy.
Directors' responsibility
Another important theme in their response is the responsibility of directors, as set out in Article 26 of the Cbw. Directors of essential and important entities should not only approve the measures and oversee their implementation, but also have the right knowledge. This requires regular training. The authors argue that these knowledge requirements should also apply to politically appointed office holders, such as ministers, because of their crucial role during cyber incidents.
Voluntary reports
Section 36 of the Cbw, which deals with voluntary vulnerability disclosures, is also discussed. The Netherlands is a frontrunner in Coordinated Vulnerability Disclosure (CVD) and the authors commend first steps towards its legal enshrinement. They suggest in addition, that CVD policy should become an explicit part of the measures that entities should take.
Information-sharing
Information sharing is crucial for effective cybersecurity policies. The legislative proposal recognises this, but the flexibility in information sharing may raise questions about legal certainty and transparency. Scherpenisse and Van Schendel call for clarity on the designation of relevant parties who may receive confidential information. They stress the importance of clear safeguards in the designation or monitoring of organisations.
Feasibility of obligations
The practicality of the Cbw's obligations is another concern. Section 8 of the Explanatory Memorandum (MvT) discusses the regulatory burden and costs, but the authors question whether the estimates are not too optimistic. They point to the challenges some entities, especially smaller ones, may face in implementing the required measures.
Delegation terminology
Finally, Scherpenisse and Van Schendel discuss the legal terminology of the legislative proposal. They recommend being clear about the possibility of subdelegation in provisions where relevant, to avoid confusion.
- PhD student
- Assistant professor
- More information
Read Scherpenisse and Van Schendel's entire response to the Cybersecurity Act here (provided in Dutch only).