The Digital Infrastructure Inspectorate (RDI) is conducting inspections of fixed internet service providers. Initial results show positive steps have been taken, but further improvements are needed to become truly digitally resilient and comply with current and future legislation. We therefore urge fixed internet providers to focus on enhancing digital resilience.
Through inspections, we assess the extent to which providers comply with the Telecommunications Act, which covers safe, reliable, and available telephone and internet networks. The inspections focus on three main topics from the law: the duty of care, the notification obligation, and interceptability. Attention is also given during visits to preparation for new laws and regulations.
Clear differences are visible between providers during inspections
Duty of care involves taking measures appropriate to the risks
Regarding the duty of care, it is noticeable that some providers have insufficiently implemented basic measures, such as two-factor authentication, encryption, and backups. Additionally, some providers lack a structured risk process: as a result, they have insufficient insight into the risks they face and the measures needed to manage them. Examples of risks include: account break-in attempts due to poor authentication, interception or manipulation of data due to missing encryption, data loss due to inadequately tested backups, and prolonged disruptions because incidents are not detected or resolved in time. The absence of structural monitoring and follow-up of incidents also means risks are often noticed too late or inadequately addressed. Other providers have this well organized and demonstrate active risk management.
Notification obligation involves structural monitoring and timely incident detection
Regarding the notification obligation, most providers have not yet established a working reporting process for security incidents, which poses significant risks. They also do not always clearly know when to consider an incident as ‘significant’. The notification obligation concerns incidents that seriously disrupt services, affect many users, cause prolonged outages, or lead to major damage to your own or other organizations. Small-scale or short-term disruptions do not fall under this obligation. The RDI emphasizes that a well-functioning reporting process is essential to quickly report and handle incidents. This limits the negative consequences and allows faster recovery, benefiting the organization itself, its partners, and customers.
Interceptability obligation involves making the network interceptable for law enforcement and intelligence agencies
Finally, it was found that some providers’ networks are not yet interceptable for law enforcement and intelligence agencies, although this is a legal requirement. Agreements have been made with the parties concerned to bring this into compliance.
How the inspections proceeded
The investigation of fixed internet providers consisted of several steps. First, a questionnaire was sent to a selection of providers. This was followed by document research and on-site interviews. This approach provides insight not only into compliance with the Telecommunications Act but also into the context in which these providers operate. Where necessary, agreements were made to improve compliance. We also supervise the implementation of these agreements.
Recommendations to strengthen digital resilience
The RDI will continue this type of inspection in the coming year. Providers can prepare by evaluating and improving their processes for the duty of care, notification obligation, and interceptability where necessary.
- Duty of care: document which cybersecurity risks impact your organization/service and demonstrate the measures you have taken. Ensure you can justify that these measures are appropriate and proportionate for your situation. The five basic principles of digital resilience help with this: systematically map risks, promote safe behavior among employees, protect systems and devices through hardening and timely patching, strictly manage access according to the least-privilege principle, and prepare for incidents with clear response, recovery, and backup processes.
- Notification obligation: if you experience a security incident with significant consequences, you must report it to the RDI. Ensure your internal incident handling process is in order and that you can properly assess the severity of incidents. When in doubt, use the criteria from the decision on security and continuity of networks and services. Use the reporting procedure on the RDI website to report in time.
- Interceptability: ensure your network complies with legal requirements and that the necessary provisions are reliably and securely arranged. This can be done internally or via a specialized provider, provided they meet all legal and security conditions. Carefully document responsibilities and ensure appropriate protection of tap information and required administrative safeguards, such as a certificate of good conduct (VOG).
Looking ahead: next steps and focus points for the coming period
The RDI calls on fixed internet providers to focus on digital resilience. Initial results show positive steps have been taken, but further improvements are needed to comply with current and future legislation.