SIDN under supervision of Radiocommunications Agency
On 9 November 2018, the Network and Information Systems Security Act (Wbni) came into force in the Netherlands. At the same time, SIDN was designated an operator of essential services (OES), as provided for under the act. As such, we are now subject to supervision by Radiocommunications Agency. In this blog, I outline the background to that designation and its implications.
Background to the Act and OES status
The new Dutch law implements the European NIS Directive, which is intended to assure adequate digital security throughout Europe.
The Directive and the Wbni focus on 'operators of essential services' and 'digital service providers'. Cloud service providers, search engine operators and internet marketplace operators all come under the second heading, while SIDN is covered by the first.
Operator of essential services
Operators of essential services are organisations that provide services that are vitally important to the community. They include energy suppliers, telecom service suppliers, and air traffic control service providers. A list of examples is provided in an annex to the NIS Directive, which individual member states are expected to use as guidance for designating their own OESs.
The NIS annex includes two examples that are relevant to SIDN: 'DNS service providers' and 'TLD name registries'.
In the Network and Information Systems Security Decree (Bbni), the Dutch government accordingly states that the following are regarded as OESs:
The operator of a register of top-level domain names, which is recognised by the Internet Assigned Number Authority (IANA) and manages more than 1,000,000 registered domain names.
operator of a register of top-level domain names, which is recognised by IANA, manages more than 1,000,000 registered domain names and provides DNS services in respect of those names.
By virtue of its .nl services, SIDN qualifies as an OES under both of those definitions. In neighbouring European countries, the national TLD operators are also being designated as OESs.
What does the new law mean for SIDN?
First, as an operator of essential services, SIDN has a duty of care, as defined in Sections 7 and 8 of the Act. In brief, what that implies is that an OES has to take appropriate technical and organisational measures to ensure the following:
The management of the security risks to their network and information systems
The prevention of security incidents and the mitigation of any incidents that cannot be prevented, with a view to assuring service continuity
In addition to the duty of care, an OES is required to report any incident with significant or potentially significant consequences for service continuity (Section 10 of the Wbni). Incidents have to be reported to the National Cyber Security Centre (NCSC), so that the NCSC has the opportunity to assist with incident response and protect others, e.g. against the same cyber-attack. Each incident has to be reported to the supervisory authority as well. In SIDN's case, that is the Radiocommunications Agency, whose responsibilities include supervising all digital infrastructure OESs.
This is a new situation for SIDN: never before have some of our activities been under the formal supervision of a government agency. Since 2008, we have had a covenant with the Dutch government, in which mutual undertakings are made with a view to assuring the continuity of the .nl domain. However, that is a voluntary agreement, which creates no sense of mandatory supervision.
It's important to understand, however, that only the availability and integrity of our .nl DNS and registration services are now subject to supervision. We remain free to assign SIDN domain names as we see fit, and to decide for ourselves whether, when and how we respond to incidents involving domain names. We also retain control over what data is shared in the Whois.
What difference will outsiders notice?
As far as the outside world is concerned, the fact that we are now a designated and supervised OES should make no difference. Even within SIDN, the impact is likely to be minor. After all, our information security has traditionally been of a very high standard. We've been ISO27001-certified since 2011, for example. Moreover, we've always worked closely with the NCSC (previously GovCert), and we already report significant incidents to the NCSC on a voluntary basis. Our constant emphasis on quality also means that the availability of our DNS service has been 100 per cent for as long as anyone can remember. The availability of the domain registration system is barely any lower, averaging 99.9 per cent in recent years.
We are currently holding talks with the Radiocommunications Agency about the form that supervision should take. The practical details will be worked out over the course of the year. Our priority will be to ensure a collaborative approach, and preliminary discussions with the Agency give every reason for optimism on that score. We are therefore very confident that a constructive working relationship will be established, which will contribute to the stability and availability of the .nl domain.