Since the 1st of January 2019 the Ministry of Economic Affairs and Climate Policy has established the CSIRT for Digital Service Providers (CSIRT-DSP). With this, an obligation from the 'Wet en beveiliging netwerk- en informatiesystemen (Wbni)' and the NIS directive (EU) 2016/1148 has been implemented. The CSIRT-DSP is charged with receiving reports of incidents of significant impact from digital market places, online search engines and cloud compute services (digital service providers). As of the 1st of January 2025 the CSIRT-DSP has integrated with the NCSC. Therefore, digital service providers from now on can contact the NCSC for assistance. An incident report to the NCSC will not lead to a higher liability. It's the duty of NCSC to assist the reporter to maintain or restore the continuity of the affected service. With this legal recognition the value that DSP's have in the current society is acknowledged.
NCSC also supports her constituency by monitoring incidents on a national level, providing relevant information about risks and incidents, assist in case of incidents and to provide risk- and incidentanalysis. NCSC alerts her constituency about known compromised systems and about software vulnerabilities.
The NIS Directive (EU) 2018/151 and Wbni also describes a duty of care, which states mandatory information security controls. NCSC is not tasked to review or supervise, this responsibility resides with the Dutch Authority for Digital Infrastructure. It has been an intentional choice in the Dutch law to differentiate these tasks with two parties. This makes the NCSC a supportive team.
The NCSC closesy cooperates with other national CSIRTs in different EU member states. This cooperations happens within the CSIRTs network. In this network, intelligence and expertise is exchanged to raise the preparedness of CSIRT's.
The NCSC is eager to assist digital service providers and cooperates with her constituency and other partners to establish a more digitally secure Netherlands. Don't hesitate to contact us so our cooperation can be based on the knowledge of each others needs and capabilities. To improve knowledge is to create and share knowledge.
The formal description of the CSIRT DSP based on RFC 2350 can be found in this document.