News item |: 01-12-2022 |: 12:02 p.m
NCSC works every day in a digitally safer Netherlands. If we have information about threats and incidents in organizations’ systems, we want to inform and advise them about it. For example, about what measures the organization can best take. Until now, the NSC was only allowed to share this information organizations designated as vital or part of the national government. There has not always been a legal basis for the NCSC to release threat and incident information to other organizations. Therefore, these organizations did not know that their systems were vulnerable, even though the NCSC had information about it. As of today, that has changed as the amended Security of Network and Information Systems Act (WbNI) comes into effect. It provides that very basis for providing more information to more organizations.
Hans de Vries, Director of NCSC. “Today is the day we’ve been waiting for as an organization for a long time, and I’m glad it’s finally here. As of today, we may also share information about, for example, an upcoming vulnerability or ransomware attack with organizations that are not owned by vital organizations or a national government. In this way, we also make these organizations digitally safer, and with it the Netherlands.”
The Wbni governs NCSC’s statutory responsibilities in cyber security. One of the NCSC’s primary tasks is to inform and advise vital suppliers and organizations within the national government about digital threats and incidents. As a result, NCSC also regularly receives information about digital threats or incidents involving other organizations. This applies, for example, to distributors of food products, political parties or container shipping companies. As of December 1, this information may also be provided to those other providers or their successor entities. You may think of information through which NCSC knows that an organization is using software that is vulnerable to abuse by criminals or when NCSC has information about an impending ransomware attack.
So-called OKTTs (organizations objectively tasked with informing organizations or the public of threats and incidents), acting as liaison organizations for other providers, can now provide this information and advice to organizations in their constituencies. In addition, there is now a basis for NCSC to share threat or incident information with other providers in special cases. A special case exists if there is no liaison organization (for example, OKTT or computer crisis team) that can provide information to the provider, and the information relates to a threat or incident with (potential) significant consequences for the continuity of the provider’s services. .