As of the 1st of January 2025 the CSIRT-DSP, the national Cyber Security Incident Response Team for Digital Service providers, has integrated with the Dutch National Cyber Security Centre (NCSC-NL).
Therefore, this website will not be updated anymore. For questions and assistance, please contact the NCSC-NL. For more information, see https://english.ncsc.nl/.
For digital service providers, the duty to report stemming from the Wbni mandates that incidents are reported to the CSIRT-DSP as soon as possible, with the goal to reduce damage to both the digital service provider and the sector. The Wbni also mandates that digital service providers report the incident without delay to the competent authority, the Dutch Authority for Digital Infrastructure. The CSIRT-DSP has integrated with the National Cyber Security Centre (NCSC). Therefore, from now on you can report incidents to the NCSC.
An incident is defined as any event that has a damaging effect on the confidentiality, integrity, availability or authenticity of network and information systems.
Not every incident meets the criteria for a mandatory report. The digital service provider should establish whether the incident has significant consequences for their service, since only such incidents are mandatory to report. An incident is said to have ‘significant consequences’ if:
- In the EU, the service is unavailable for more than 5,000,000 service hours;
- The incident has negative consequences for more than 100,000 users in terms of integrity, confidentiality or authenticity;
- One or more users of the service have suffered damages exceeding 1,000,000 EUR;
- There is a risk to public safety or the loss life.
If the incident doesn't meet the criteria for a mandatory report as described above, it's always possible to submit a voluntary report.