Essential organisations must improve domain name portfolio management

Cyber Security Decree will translate NIS2 requirements into Dutch law

European flag with the text 'NIS-2 Directive'

Although we still don’t know when the Netherlands’ new Cyber Security Act will come into force, a lot of work is already being done on its practical implementation. As part of those efforts, a draft of the Cyber Security Decree was recently published for online consultation. While the draft decree – technically a ‘general administrative order’ or ‘AMbV’ in Dutch – may yet be amended following consultation, it helps us to see how the provisions of the Cyber Security Act are likely to work in practice. Cybersecurity professionals therefore now have a better understanding of what their future obligations and responsibilities will be.

Key provisions

The Cyber Security Decree is based on the Cyber Security Act, which in turn is based on the EU’s NIS2 Directive. As currently drafted, the act will create various general obligations with regard to risk management, incident reporting and monitoring. Those general obligations will then be translated into concrete requirements by the proposed decree. More specifically, the decree will provide for:

  • A duty of care regarding the supply chain, including due diligence in supplier selection

  • Mandatory cyber-resilience training for executives

  • Specific incident reporting obligations, covering promptness, report content and reporting method

  • Periodic audits and self-evaluations

Obligations regarding domain names

One notable addition is the explicit attention given to the domain name portfolios of essential and important entities. The consultation indicates that such organisations will be required to record all the domain names under their control. That may prove difficult in practice, since SIDN’s experience is that many organisations lack a complete overview of their domain name portfolios – typically because they have lost track of shadow IT arrangements or historical registrations. It’s also unclear how the new obligation will tie in with the recently established Register of Government Internet Domains (RIO).

Nevertheless, inclusion of the provisions in question underscores the strategic importance of domain name management for national digital security. It also increases the pressure on organisations that have previously been subject to relatively little scrutiny.

What next?

Many organisations now have a clear idea what they will have to do to comply with the law. While the consultation version of the decree is accompanied by sector-specific guidance, questions do arise regarding the workability of the proposals. Nevertheless, any organisation that falls under the new rules would do well to:

  • Perform a gap analysis on the basis of the new requirements

  • Involve direct suppliers and service providers in their risk management

  • Establish reporting procedures and training programmes

  • Prepare for supervision by the appointed CSIRT or regulator

The message is clear: the days of doing as one sees fit are gone. When the Cyber Security Decree takes effect, cyber-resilience will cease to be an option and become a demonstrable obligation.

More info and consultation documents: www.nctv.nl – Cyberbeveiligingsbesluit