Later this year, the RDI will be inspecting internet service providers’ compliance with their reporting and duty-of-care obligations under the Telecommunications Act. These obligations are relatively new, as the Telecommunications Act was recently amended. The requirements apply to services provided via xDSL, cable, and fiber-optic networks. All providers of internet services and networks can therefore expect an inspection from the National Inspectorate for Digital Infrastructure in the coming months!
Compliance with the amended Telecommunications Act
So what exactly has changed in the Telecommunications Act over the past year? We’ll explain. Last year, the Telecommunications Act was amended to include a reporting and duty-of-care obligation for internet service providers and companies offering other telecommunications services. These changes give internet service providers greater responsibility for identifying cyber threats and ensuring digital resilience. Apart from the new obligations, these stricter requirements also signal preparations for the NIS2 Directive, also known as the Cybersecurity Act.
What do the duty to report and the duty of care entail?
The reporting obligation means that internet service providers are required to report any outages or other issues to the RDI as soon as possible. Security incidents must also be reported immediately, so that the RDI can be certain that the appropriate measures are being taken to protect customer data. The duty of care stipulates that an internet service provider must “take appropriate technical and organizational measures to ensure the security and continuity of services.” The goal of the stricter legislation is to minimize security risks as much as possible and ensure that a provider’s services can be restored as quickly as possible following a disruption or other incident. Because incidents are reported quickly, security measures can be improved and greater insight into cyber threats is gained.
Preparing for the NIS2 Directive
In addition to the new obligations being imposed on internet service providers, the RDI will also examine preparations for the NIS2 Directive—which will become the Cybersecurity Act in the Netherlands—during its inspections. This is a technological directive established by the European Commission. The law has not yet entered into force, but it is expected to do so sometime next year. The directive sets stricter requirements regarding the security of network and information systems. During inspections, internet providers can therefore expect to be asked how they are already preparing for the Cybersecurity Act!