On 23 March, the House of Representatives (Tweede Kamer) discussed the Cyber Security Act (Cyberbeveiligingswet; “Cbw”), the Dutch implementation of the Network and Information Security Directive (EU 2022/2555; “NIS2 Directive”). The aim is still to introduce the Act this quarter.  The hack on Odido and the recent hack at Ajax demonstrate that securing your information systems is not a luxury, but a necessity to prevent incidents. In the Odido hack, many people’s personal data was published on the dark web. This personal data can be used to send phishing emails, place orders or take out subscriptions in your name, or attempt to take over your bank account. Such cyber incidents can be prevented with robust cybersecurity. That is why, in this blog, we are focusing on the duty of care under the Cbw.

Various authorities have now shared information about the Cbw, such as the National Cyber Security Centre (Nationaal Cyber Security Centrum; “NCSC”) and the National Inspectorate for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur; “RDI”), which will act as the supervisory authority for many parties under the Cbw. The government therefore advises organisations to start implementing the rules set out in the Cbw now, as the risks of cyber incidents are already present.

Duty of care

One of the obligations under the Cbw is the duty of care set out in Article 21 of the Cbw. The duty of care under the Cbw means that essential and important entities must take appropriate and proportionate technical and organisational measures. Compliance with the duty of care is monitored by the designated supervisory authorities, including by requiring entities to document in writing what the entity does following a notification from the supervisory authority, the Computer Security Incident Response Team (“CSIRT”) or another government body.

The Cbw sets out a number of minimum measures to fulfil the duty of care:

• Policy on risk analysis and the security of information systems
• Incident handling
• Business continuity, such as backup management, recovery plans and crisis management
• Supply chain security, including security-related aspects concerning the relationships between the entity and its direct suppliers or service providers
• Basic cyber hygiene practices and cybersecurity training
• Security in the procurement, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
• Security aspects relating to personnel, access policies and asset management
• Where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the entity
• Policies and procedures regarding the use of cryptography and, where applicable, encryption
• Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks.

The NCSC in the Netherlands has now developed a number of guidance documents on its website that can assist with the implementation of these measures.

ISO certification as a tool for compliance

Another tool for implementing the Cbw are the ISO 27001 standards. ISO 27001 is the international standard for information security. ISO certification demonstrates that an organisation’s information security is well protected. An ISO certificate can support NIS2 compliance. Partly for this reason, both the European Union Agency for Cybersecurity (ENISA) and the Government Information Security Baseline have produced a table comparing the ISO standards with the Cbw. The Government Information Security Baseline contains basic standards for information security within the public sector (central government, local authorities, water boards and provincial authorities). ENISA is responsible for cybersecurity in Europe. Various measures, such as multi-factor authentication or incident response, fall under the ISO 27001 standards and are mandatory under the duty of care of the Cbw. Holding ISO 27001 certification can therefore help in meeting the obligations under NIS2, but is not sufficient to comply with the obligations under NIS2.

Greater responsibility for the board

Whereas the ISO standards only set requirements for the technology and its organisation, the Cbw also imposes requirements on an entity’s management. As described in a previous blog, Article 24 of the Cbw stipulates that directors bear ultimate responsibility for compliance with the Cbw obligations. The NIS2 does not address the definition of ‘management’. In the explanatory memorandum to the Cbw, the definition of ‘management’ is linked to the Digital Operational Resilience Act (‘DORA’), a regulation aimed at enhancing the digital resilience of financial institutions. It is inferred from this regulation that ‘management’ is understood to mean:

• The day-to-day management and not a supervisory body (such as a supervisory board)
• And in the case of a one-tier board, the executive directors and not the non-executive directors.

In the case of legal entities, ‘management’ is therefore the standard term used in Book 2 of the Dutch Civil Code (Burgerlijk Wetboek; “BW”). The duty of care under Article 24 of the Cbw therefore rests with the board of , a legal entity within the meaning of Book 2 of the BW. In line with this, the explanatory memorandum refers to the duties of the board of a public limited company (N.V.) and a private limited company (B.V.) under Articles 2:129 and 2:239 of the BW respectively.

Liability of the de facto manager under the General Administrative Law Act

In addition to directors, other natural persons may also be held liable for breaches of obligations under the Cbw. This concerns persons who, although they are not directors, in fact take the decisions and exercise control over compliance with the obligations under the Cbw. This liability is therefore not limited to directors, but may also apply to other persons within an organisation. NIS2 does not specify how this liability should be structured. In the Netherlands, this is addressed through administrative law enforcement, to which the General Administrative Law Act (Algemene wet bestuursrecht; “Awb”) applies. Under Article 5:1 of the Awb, if a legal person commits an offence, the person who ordered the act or the person who actually exercised control may also be subject to a sanction, such as an administrative fine. This is subject to the condition that the doctrine of actual control within the meaning of the Awb is satisfied.

Conclusion

The duty of care under the Cbw brings significant new obligations and responsibilities for directors of entities subject to the legislation. ISO standards can provide support in meeting the technical and organisational measures required by the Cbw.

For more information about the obligations that apply to directors and how to protect your organisation and position, please contact Machteld Robichon or Bente van Kan.

With thanks to Maartje Nelemans

Also read our other blogs:

• Directors and the Cyber Security Act
• The Cyber Security Act: a new legal foundation for digital resilience
• The scope of the Cyber Security Act