Duty to report

For digital service providers, the duty to report stemming from the Wbni mandates that incidents are reported to the CSIRT-DSP as soon as possible, with the goal to reduce damage to both the digital service provider and the sector. The Wbni also mandates that digital service providers report the incident without delay to the competent authority, the Dutch Authority for Digital Infrastructure.

An incident is defined as any event that has a damaging effect on the confidentiality, integrity, availability or authenticity of network and information systems.

Not every incident meets the criteria for a mandatory report. The digital service provider should establish whether the incident has significant consequences for their service, since only such incidents are mandatory to report. An incident is said to have ‘significant consequences’ if:

  • In the EU, the service is unavailable for more than 5,000,000 service hours;
  • The incident has negative consequences for more than 100,000 users in terms of integrity, confidentiality or authenticity;
  • One or more users of the service have suffered damages exceeding 1,000,000 EUR;
  • There is a risk to public safety or the loss life.

If the incident doesn't meet the criteria for a mandatory report as described above, it's always possible to submit a voluntary report.