Priorities Wbni 2023
We show you the priorities of our supervision of operators of essential services in 2023.
Wbni – what is the Act?
The Network and Information Systems Security Act (Wbni) is the Dutch implementation of the European NIS Directive into national law. The Act requires operators of essential services and digital service providers to put in place appropriate and proportionate technical and organisational measures to secure their ICT resources, and to take appropriate measures to prevent incidents and mitigate the impact of any incidents that do occur to the greatest possible extent.
Wbni – who does the Act cover?
The Minister for Climate and Energy Policy has designated electricity producers and the national and regional grid operators as operators of essential services. The digital infrastructure sector covers internet exchanges and the administrator of the .nl domain (SIDN, the foundation in charge of registering internet domain names in the Netherlands). The Authority actively monitors compliance with the Act among these target groups.
Digital service providers are not designated and it is up to them to determine whether or not they are subject to the provisions of the Act. The Authority carries out reactive monitoring of compliance with the Act among this target group.
Wbni – how is the Act monitored?
The Authority monitors compliance with the Act in four ways:
• Regular inspections: we take a wide-ranging look at the overall security situation
• Thematic inspections: we take a particular focus on one aspect of security
• Incident inspections: when an incident is reported, we examine its cause and how it can be prevented in the future
• Thematic supervision: taking specific investigations and activities as our starting point, we encourage and support the entire sector in achieving and maintaining digital resilience.
Wbni – Monitoring the Act in 2022
In 2022, the Authority conducted an inspection on the theme of Business Continuity Management (BCM) among grid operators and in the digital infrastructure sector to examine how these entities mitigate the consequences of incidents. In addition, introductions and initial duty of care assessments were carried out among a group of more than 20 major energy producers
Key developments in 2023
Oil and gas supplies are of vital importance. With this in mind, a number of new operators of essential services will be designated in the energy sector in 2023. In the digital infrastructure sector, three major domain name system providers will be designated.
Substantial changes will also occur in the legislative field. The NIS directive has been reviewed (NIS2) and the Critical Entities Resilience (CER) directive and the EU Network Code on Cybersecurity are nearing completion.
The enhanced approach to critical infrastructure, the changing geopolitical situation and the expanded scope of NIS2 all underline the importance of cooperating with other regulators, both nationally and internationally.
Priorities in 2023
• Introductions and initial duty of care assessments among a group of new operators of essential services in the energy and digital infrastructure sectors.
• Inspections on specific themes within the multi-year theme of Business Continuity Management using risk-based selection in the energy sector with a focus on black start. The parties selected for inspection will be informed well in advance.
• Thematic inspections using risk-based selection of energy producers on the issue of risk management. The results of these inspections will also be incorporated into the inspection overview. The parties selected for inspection will be informed well in advance.
• Thematic supervision on the theme of Industrial Automation and Control Systems (IACS) in the energy sector and more broadly where possible. This focusses on the sparsely regulated area of Operation Technology systems and the associated supply chain risks.
• Account management meetings with the operators of essential services. The agenda for these meetings will specifically include NIS2 and Netcode (where relevant).
In addition to these priorities, the major focus for 2023 will be on implementing these European legal frameworks into Dutch law and making preparations for monitoring and other tasks that arise as a result.