Since the 1st of January 2019 the Ministry of Economic Affairs and Climate Policy has established the CSIRT for Digital Service Providers (CSIRT-DSP). With this, an obligation from the 'Wet en beveiliging netwerk- en informatiesystemen (Wbni)' and the NIS directive (EU) 2016/1148 has been implemented. The CSIRT-DSP is charged with receiving reports of incidents of significant impact from digital market places, online search engines and cloud compute services (digital service providers). An incident report will not lead to a higher liability. It's the duty of CSIRT-DSP to assist the reporter to maintain or restore the continuity of the affected service. With this legal recognition the value that DSP's have in the current society is acknowledged.
CSIRT-DSP also supports her constituency by monitoring incidents on a national level, providing relevant information about risks and incidents, assist in case of incidents and to provide risk- and incidentanalysis. CSIRT-DSP alerts her constituency about known compromised systems and about software vulnerabilities.
The NIS Directive (EU) 2018/151 and Wbni also describes a duty of care, which states mandatory information security controls. CSIRT-DSP is not tasked to review or supervise, this responsibility resides with the Dutch Authority for Digital Infrastructure. It has been an intentional choice in the Dutch law to differentiate these tasks with two parties. This makes the CSIRT-DSP a supportive team.
The Dutch National Cyber Security Center is the other appointed CSIRT in the Netherlands. Their constituency consists of government entities and essential and vital services. CSIRT-DSP closely cooperates with the Dutch NCSC. There is also a close cooperation with other national CSIRTs in different EU member states. This cooperations happens within the CSIRTs network. In this network, intelligence and expertise is exchanged to raise the preparedness of CSIRT's.
CSIRT-DSP is eager to assist digital service providers and cooperates with her constituency and other partners to establish a more digitally secure Netherlands. Don't hesitate to contact us so our cooperation can be based on the knowledge of each others needs and capabilities. To improve knowledge is to create and share knowledge.
The formal description of the CSIRT DSP based on RFC 2350 can be found in this document.