Back to overview

Comply or explain: European and Dutch regulations regarding information security

  • Blog

In the last couple of years, the importance of information security is recognized by businesses worldwide. Both the European Union and the Dutch state have introduced strict regulations to ensure the protection of personal data and sensitive, business critical, information. These measures can also mitigate the risk of cyber threats to your organization. 

In this article, we discuss the importance of information security, basic measures you have to implement and the most important European and Dutch security laws and regulations, such as NIS2, Wbp, Wbni, NEN7510 and BIO. Moreover, we discuss how you can effectively comply with them

Hacksclusive okt 2022I Mirella Boot Fotografie I 08 (1)

What is Information Security?

Information security consists of all the preventive, detective, repressive and corrective measures to protect the confidentiality, integrity and availability of information given the goals of an organization. Information security existed long before our modern digital era. The ancient Egyptian empire even had a special army general in its heydays: The master of the king's secrets. It’s easy to understand the value of information security in a military or intelligence context, where it makes the difference between life and death. 

For organizations today, the threat is just as real. Modern day ‘masters of secrets’ include Chief Information Security Officers and Information Security Managers.

To protect information organizations take a wide variety of organizational, physical and logical measures.

Basic measures every organization should take, include: 

  1. Map your key information security risks.
  2. Make sure your employees are aware of relevant security risks.
  3. Determine who has access to your data and services (‘need-to-know’).
  4. Apply strong passwords and multi-factor authentication where necessary.
  5. Divide your network in distinct segments.
  6. Check which devices and services are accessible from the internet and protect them.
  7. Encrypt storage media containing sensitive business information.
  8. Make regular backups of your systems and test them.
  9. Install software updates.
  10. Ensure that each application and system generates sufficient log information.
  11. Continuously test the effectiveness of the security of your systems (pentesting).
  12. Be prepared for security incidents (response).  

 

Why securing information is important

Over time, one thing has always remained important: the 'need to know principle.' This means that users should only have access to data and services that they need for their job or role. Access control is not only a prerequisite for the confidentiality of information. It also helps to safeguard the integrity and availability of information. And that is exactly what information security means: make sure that an authorized user has access to correct and complete information at all times. European laws and regulations are developed to provide a solid foundation for safeguarding information. Obviously not without a reason. The smallest security hole can be misused, by threat actors like cybercriminals and state sponsored hackers, causing bankruptcy, disrupting our economy or undermining our democracy. 

The business model par excellence for cybercriminals is ransomware. Organizations have to decide between paying 1 to 2% of their revenue as ransom in cryptocurrency, or face losing sensitive data. The damage is substantial. In The Netherlands the average downtime of a business is 10 days, the average financial loss is 300k€ and more than 60% of small and medium enterprises do not survive an attack. For non profit organizations the long term damage often is a decline of public confidence. Specifically for the government this undermines democracy. 

Risks like ransomware are something every organization must deal with. From large governmental institutions, to SMEs and non-profit organizations, like hospitals or universities. And the risks are getting bigger. The emergence of the Internet-of-Things for example makes security also a safety issue: the virtual and physical world are literally connected. 

Hacksclusive okt 2022I Mirella Boot Fotografie I 47cr

European cyber en information security laws

In the past period the European Union launched a number of (new) directives to increase the level of security of member states and the privacy of citizens. The directives have to be implemented in local laws. Most well known directive is probably the GDPR. More recently NIS2 was introduced. 

We give you an overview of important European en Dutch Cyber Security laws you need to consider for your organisation:

  • General Data Protection Regulation (GDPR) sets out the requirements for organizations to protect the privacy and personal data of individuals. The directive for instance requires that individuals, in most cases, need to give permission before their personal data is processed. The directive also grants individuals certain rights: the right to access their data, rectify inaccuracies, erase data ("right to be forgotten"), restrict processing, data portability, and object to certain types of processing. Furthermore, organizations must keep a record of which personal data they process, conduct a privacy impact assessment and apply privacy by design. Organizations have to implement and report any breaches (for example, data leaks) as soon as they occur. Another important requirement is that organizations have to implement appropriate organizational and technical security measures. The basic measures described earlier are a bare minimum to comply with this requirement. In the Netherlands the GDPR directive is secured in the Algemene verordening gegevensbescherming (AVG).

  • The directive on Security of Network and Information Systems version 2 (NIS2) is the successor to the first NIS directive. The purpose of the NIS2 is to further strengthen the resilience and incident response capacities of the private and public critical sectors, as well as the EU as a whole. To this end, the NIS2 Directive:
    • Broadens the scope of the sectors covered by the directive from seven to seventeen critical industries.
    • Introduces new cybersecurity risk and incident management requirements.
    • Intensifies the supervisory regime.
    • Strengthens penalties for organizations failing to comply with the requirements.
    • Introduces accountability of top management for non-compliance with cybersecurity obligations.
      Includes stricter reporting requirements in the case of a cybersecurity incident.
    • Aims at harmonizing cybersecurity requirements and sanction regimes across EU Member States.

    NIS2 explicitly addresses supply chain risks. The vulnerabilities of one single critical organization are enough to threaten a whole society, even if the rest of the critical entities are mature in their cybersecurity risk management.

    This is why, with the above listed amendments, NIS2 aims at achieving a minimum level of cybersecurity across the EU. A harmonized stance towards cybersecurity will reduce the likelihood and the impact of attacks, thus lessening the threat of societies suffering the frightening consequences of a large-scale cyber-attack on its critical infrastructure.

    Again the basic measures described earlier are a bare minimum to comply with NIS2. The Dutch government has to ensure that the directive is secured in local legislation before March 2024. Currently the first NIS directive is secured in Wet Beveiliging Netwerk- en Informatiesystemen (Wbni). 

Dutch cyber and information security regulations

Het belangrijkste principe van de Nederlandse overheid, tot nu toe in hun inspanning om de veerkracht van cyberbeveiliging te vergroten en organisaties te dwingen basismaatregelen voor cyberbeveiliging te implementeren, is 'zelfregulering'. Verschillende sectoren hebben sector specifieke eisen en normen aangenomen en/of ontwikkeld:

Several industries have adopted and/or developed industry specific requirements and standards: 

  • Institutions like banks, insurers and pension funds, under supervision of the Dutch National Bank (DNB) must have appropriate procedures and measures in place to control IT risks. These procedures and measures aim to safeguard the integrity, continuous availability and security of electronic data. In this context, “appropriate” means that the procedures and measures are based on the nature, scale and complexity of the risks associated with the institution’s activities, and on the complexity of its organizational structure. DNB developed a ‘good practice’ based on the CobIT framework. Institutions have to comply with a certain maturity level on specific control measures.

  • The Dutch healthcare has adopted NEN7510 which is, simply said, a healthcare version of ISO27001. However NEN7510 has two additional standards on the exchange of data (NEN7512) and logging (NEN 7513). ISO27001 is an internationally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive organizational information, ensuring its confidentiality, integrity, and availability. Appendix A of the standards contains a set of security control organizations can select and implement to manage their risks. These controls are detailed in ISO27002. NEN7510 combines ISO27001 and 27002. Although it is not mandatory for healthcare organizations to implement and comply with NEN7510 case law shows that is de facto is. Recently NVZ, a branche organization for general hospitals, rehabilitation centers and categorical care institutions issued a behavioral guideline which includes organizational and technical security measures (based on ISO27002) and comparable to to basic measures described in this article.

  • BIO (Baseline Informatiebeveiliging Overheid), since 2019, is the standard for information security of the Dutch government (i.e. central government, municipalities, provinces and water bodies). BIO is like NEN7510 based on ISO27001 and ISO27002. The Dutch government has committed itself to implementing the BIO. Every government layer has its own implementation roadmap. 

  • Other for cyber security relevant Dutch laws are:
    • Wet Computercriminaliteit
    • Wet gegevensverwerking en meldplicht cybersecurity
    • Algemene Verordening Gegevensbescherming
    • Telecommunicatiewet
    • Auteurswet
    • Wet elektronische handtekeningen
    • Wet op de inlichtingen- en veiligheidsdiensten
    • Archiefwet

Frameworks and National disclosures make cyber security more accessible 

Currently the Dutch government considers adopting a cyber security framework like Belgium. Belgium introduced the Cyberfundamentals Framework, a set of concrete measures to:

  • protect data
  • significantly reduce the risk of the most common cyber-attacks
  • increase an organization's cyber resilience

The framework has four levels: small, basic, important and essential. The framework is based on and linked with 4 commonly used cybersecurity frameworks: NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443. The framework can be used to comply with NIS2 for instance.
 
Finally, it is worth mentioning a general guideline the Dutch government issued called ‘Leidraad Coordinated Vulnerability Disclosure’. The goal of this Coordinated Vulnerability Disclosure (CVD) is to contribute to the security of ICT systems by sharing knowledge about vulnerabilities. Owners of ICT systems can then remedy vulnerabilities before they can be actively abused by third parties. The Netherlands was one of the first countries that issued a guideline on vulnerability disclosure. More and more countries are doing so and even secure the guideline in laws. CVD is considered a good practice in complying with NIS2. 

Comply or explain

Regulators and other stakeholders more and more require proof instead of trust. Organizations have to prove that they control their security risks and / or have effectively implemented measures to control their risks. Organizations no longer can rely on trust saying or showing they do comply with a certain information security standard. In practice there are two complementary ways to provide assurance to stakeholders about the level of compliance with information security standards and the effectiveness of implemented measures.

  • Certification
    Certification based on ISO 27001 and/or NEN7510 or BIO is a common way to demonstrate that an organization is committed to information security, enhancing the organization’s reputation, increasing customers' confidence and improving the ability to manage security risks effectively.

    To achieve ISO 27001 certification, an organization must implement and maintain an ISMS that complies with the requirements specified in the ISO 27001 standard. This involves adopting a risk management approach to identify, assess, and treat information security risks.

    The certification audit consists of two phases:
    • A documentation review where the audit, based on the so called Statement of Applicability, checks whether the design of the ISMS complies with the requirements of ISO 27001.
    • After the first stage an implementation review is conducted. The auditor checks whether the operation of the ISMS complies with the requirements of ISO 27001. 

    It is important to note that ISO 27001 certification is not a one-time achievement but requires ongoing commitment to maintaining and improving the ISMS. However, an ISO 27001 certificate does not guarantee that security measures are designed properly and operate effectively. This is where an audit can be useful. 
  • Audit
    In practice organizations often provide assurance with statements provided by certified auditors. Professional bodies developed and adopted reporting standards for this kind of statements.

    Still widely used are ISAE 3000 and ISAE 3402. ISAE 3000 and 3402 refer to the International Standard on Assurance Engagements (ISAE) 3000 and 3402, which are issued by the International Auditing and Assurance Standards Board (IAASB).

    ISAE 3000 provides guidance and requirements for assurance engagements other than audits or reviews of historical financial information whereas ISAE 3402 is focussed on historical financial information. ISAE 3000 is primarily used for providing assurance over non-financial subject matters, such as internal controls, sustainability reporting, and information security.
    The disadvantages of the ISAE standards are that there is no common set of measures and the report cannot be publicly disclosed. Therefore the American Association of International Certified Professional Accountants (AICPA) came up with SOC I, II, III (or System Organization Control).

    Where SOC I is an equivalent of ISAE 3402, SOC II of ISAE 3000 and SOC III is for general use and can be made publicly available. SOC uses a standard set of control / security measures. 
Hacksclusive

Continuous pentesting as a powerful tool for compliancy 

In light of current European and Dutch legislation, it has become essential for organizations to rigorously assess the efficacy of their technical security measures concerning digital assets. The protection of these assets has gained paramount importance, especially considering the involvement of confidential and privacy-sensitive data. With a significant shift of criminal activities from the physical realm to the virtual landscape, cybercriminals are increasingly targeting online identities, engaging in blackmail, and manipulating financial transactions.

Consequently, stakeholders now demand that organizations demonstrate a robust security framework for their (web) applications to avoid substantial fines stemming from non-compliance with relevant laws and regulations.

In practice, assessing the effectiveness of digital asset security measures often involves ethical hacks or penetration tests conducted annually or biennially, typically after the development and deployment stages. However, one of the drawbacks of this approach is that security is often not inherently integrated into the development process, leading to challenges in repairing structural errors or weaknesses in the software. Frequently, temporary measures are used to ensure security effectiveness, which can be labor-intensive, vulnerable, and costly. Additionally, traditional penetration tests offer a mere snapshot, not accounting for the dynamic nature of rapidly evolving technology and newly discovered vulnerabilities.

Hacksclusive advocates a risk-driven approach, prioritizing security at every stage of the development process, be it devops, agile, or more traditional methodologies. Through this continuous security testing approach, inherently secure digital assets are developed iteratively. Ethical hackers play a pivotal role in this process, being involved from establishing security requirements to conducting automated tests as extensively as possible. Hacksclusive's Pentesting of a Service platform facilitates and streamlines this procedure.

Curious how continuous pentesting can help you make your organization compliant? Get in touch with us!

Get in touch
with us today!

We will get back to you as soon as possible! If instead, you want to meet us, let us know where and when, and we'll be there!