The Second Chamber has passed the "Bill to Promote Digital Resilience for Businesses" (wbdwb). This law is intended so that the Dutch government can alert all companies in the Netherlands in case of vulnerabilities, threats or incidents. In this way, the government is trying to protect Dutch businesses, including your organization, from cybercrime.
All Dutch companies more resilient to cybercrime
Currently, companies not covered by the "Network and Information Systems Security Act" (Wbni) are not informed about specific threats related to their digital environment, even though the government does have this information. This is because the government has no legal right to process data on all companies in the Netherlands. They do need this in order to alert companies. Currently, this right only applies to companies that have a vital function provide for Dutch society, such as cleaning drinking water, energy supply and healthcare. The arrival of the new law thus makes it possible for the government to also warn the rest of the business community against cyber threats, making them more digitally resilient. This includes SMEs and self-employed workers.
What does it mean that the government is allowed to process personal data?
When the government wants to alert individual companies and organizations to cyber threats, it may need to process personal data, such as IP addresses or e-mail addresses.
An example: the government finds a list of IP addresses of compromised computers used for attacks. Then the government can use the IP addresses to find out which companies the computers belong to, and then alert that specific company.
The government informs non-vital companies about cyber threats through the Digital Trust Center (DTC). Vital companies are informed by the National Cyber Security Center (NCSC) and the national Computer Security Incident Response Team for Digital Service Providers (CSIRT-DSP) do this for digital service providers. The new legislation also allows these organizations to work better together by bringing them together into one cybersecurity organization.
What does this mean for your organization?
Does your organization serve a vital interest? If so, nothing changes. If your organization is considered non-vital, it is now possible for the DTC to now process personal data from your organization to determine if there is a specific cyber threat. You do not need to take any action yourself.