Protecting your information systems and keeping them safe from harm (cybersecurity) can be quite a challenge. All it takes is one hacker bent on mischief, or one angry employee exploiting a security hole in your system, and the damage to your organisation may be enormous. In most cases, the law leaves the manner in which you choose to defend your organisation from attacks, vulnerabilities and other threats completely up to you; you are allowed to make your own risk assessment and implement whatever measures you deem necessary. However, cybersecurity is increasingly becoming a legal requirement, with legislators deciding which systems must be secured and what level of security your cybersecurity measures must seek to attain.
Cybersecurity can be part of a general regulation, such as the General Data Protection Regulation, which imposes a security duty on virtually every organisation which processes personal details. However, cybersecurity is increasingly becoming a topic in itself: the EU Directive on Security of Network and Information Systems (NIS Directive) and EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the European internal market (eIDAS Regulation) are two examples of cybersecurity legislation drawn up for specific market sectors or organisations.
Cybersecurity from a legal point of view
One aspect of cybersecurity which can be found in nearly all pieces of cybersecurity legislation is the duty to report cybersecurity-related incidents to organisations. This duty may vary from industry to industry, and not all incidents must be reported to the same organisation. Sometimes incidents have to be reported to the Dutch Data Protection Authority, in other cases to the National Cybersecurity Centre, and at yet other times, the supervisory authority governing a particular segment of the industry must be notified. In some cases incidents must be reported to two or even all three organisations. Failure to report an incident may result in enforcement measures and significant fines. We help organisations to find their way through this labyrinth of reporting duties and we help organizations to organise their incident responses in such a way that the reports are always in time and complete.
For instance, if you provide vital or essential services, trust services or digital services (cloud computing, online marketplace, search engines) or if you host an online platform, you will be subjected to increasingly more cybersecurity-related legislation in the next few years. Although some of these new regulations yet have to be adopted, organizations can already start preparing for these changes.