Central government logo, link to homepage
National Cyber Security CentreMinistry of Justice and Security

Incident reporting

Products and services
Coordination & support
Are you dealing with a cyber incident? Report it to the NCSC. In some cases this is a legal obligation; in others it is a voluntary way to collaborate on national cyber security. In both cases, support may be available.

As the Cybersecurity Act (the national implementation of the NIS2 Directive) has not yet entered into force, the Wbni (the Dutch Network and Information Systems Security Act) still applies for now. Vital providers and providers of essential services (AESs) are required to report serious incidents to the NCSC. Read more below about Wbni reporting. In addition, since 17 October 2024, organisations can also submit a voluntary NIS2 incident report via this form.

Wbni reporting

Under the Wbni, vital providers, digital service providers, and providers of essential services (AESs) are obliged to report serious incidents to the NCSC. AESs must also report to their sectoral supervisory authority.

Reports must be made as soon as possible. Send your report directly to cert@ncsc.nl (encrypted using our PGP key, if preferred) and state that it is a mandatory report.

An incident is any event that adversely affects the availability, integrity, confidentiality, or authenticity of network and information systems.

Do all incidents have to be reported? No. You must assess whether the incident has significant consequences for your service, as only such incidents must be reported. This may include, for example, the number of users affected by the service disruption, or the impact on economic and social activities. “Significant consequences” exist when:

  • The service is unavailable in the EU for more than 5,000,000 user hours;
  • The incident has negative consequences in the EU for the integrity, confidentiality, or authenticity of data or services affecting more than 100,000 users;
  • One or more users of the service have suffered damages exceeding EUR 1,000,000;
  • There is a risk to public safety, public security, or loss of life.
Submit a Wbni notification by encrypted email
Submit a Wbni notification by email

Cybersecurity Act (NIS2) reporting obligation

Organisations that will fall under the Cybersecurity Act will be subject to a reporting obligation. This means they must report significant incidents as soon as possible, and in any event within 24 hours, to the supervisory authority and the relevant sectoral CSIRT. Until the Cybersecurity Act has entered into force, this is a voluntary report.

Voluntary CBW incident report

Voluntary reporting

You can always submit a voluntary report to the NCSC. A report is considered voluntary if there is not (yet) a reason for a legally mandatory report.

The NCSC may be able to provide support and advice in response to voluntary reports. For voluntary reports, there is no obligation to report to the supervisory authority, the Dutch Authority for Digital Infrastructure. You decide which information you wish to share.

We maintain a national overview of cyber security threats. Voluntary reports contribute to this picture and help the NCSC to keep the threat landscape up to date, so organisations are better prepared for current threats.

Voluntary report
Form
Did you find this page helpful?