On 8 August 2017, the Department for Digital, Cultural, Media & Sport issued a public consultation on its plans to implement the Network and Information Systems Directive (NIS) Directive - also known as the Cyber Security Directive - into UK legislation.
The aims of the NIS Directive
The aim of the NIS Directive, which will be implemented into law for the whole of the UK by 9 May 2018, is to increase the overall level of cyber-security within the European Union. Requirements on Member States under the NIS Directive include adopting a national strategy and regulatory measures for operators of essential services (OES) (within the energy, transport, banking, financial market infrastructure, health, water production and digital infrastructure sectors) and providers of particular digital services (online marketplaces, online search engines and cloud computing service providers) (DSPs). For more on the NIS Directive see our previous briefing on What can your business do to improve cyber security.
The NIS Directive requires OES and DSPs to adopt appropriate measures to manage security risks and to report incidents above certain thresholds to national competent authorities without undue delay.
The Government's implementation proposals
The consultation paper confirms the Government's support to the aims of the NIS Directive and sets out its proposed implementation approach which will compel OES to ensure they are taking the necessary action to protect their IT systems.
The consultation paper includes, amongst other items:
- the criteria for identifying those OES which will be covered by the NIS Directive. At appendix one is a table of proposed sectors, essential services and identification thresholds which are set at such a level as to capture what the Government views as only the most important operators, rather than the whole sector. The government is also proposing to include a reserve power to designate specific operators as OES, where there are valid reasons to do so, for example on the grounds of national security, without broadening the scope of the Directive.
- the proposed high level security principles (appendix three) describing the mandatory security outcomes that OES will be required to achieve. OES will be expected to have measures in place to meet the requirements of the high level principles from the time the legislation comes into effect - 10 May 2018. Generic and specific guidance will be issued by the National Cyber Security Centre (NCSC) and competent authorities over time.
- the proposed reporting regime, which will be to one body, the NCSC, and that there should be voluntary reporting of incidents that do not meet the reporting threshold as set out in the NIS Directive - so extending beyond the obligation. The obligation will be to report without undue delay and no later than 72 hours after having become aware of an incident - for consistency with other legislation, in particular the GDPR, with the aim of minimising the regulatory burden. However, it should be noted that the NIS incident reporting requirements may cover incidents that would not need to be notified under the GDPR and vice versa.
- the criteria for determining if companies fall within the NIS Directive definition of a DSP and the high level security principles proposed. It is intended that the guidance will follow the European network and Information Security Agency (ENISA) guidance as closely as possible as well as the requirements of the General Data Protection Regulations (GDPR). However, it is proposed that there will be a further smaller, targeted consultation for DSPs given the framework for security and incident reporting requirements for DSPs, which will be set at a European level, had not been publicised when the consultation was issued.
- the penalty regime. The Government intends to adopt a penalty regime similar to that applicable under the GDPR. It proposes two bands of penalties being:
- Band one - a maximum of Euro 10m or 2% of global turnover for lesser offences as defined
- Band two - a maximum of Euro 20m or 4% (whichever is greater) for failure to implement appropriate and proportionate security measures.
This mirrors the penalty regime under GDPR. It is intended that the penalties will be imposed as a last resort where it is assessed that appropriate risk mitigation measures were not in place without good reason. However, given the NIS Directive and GDPR are distinct regimes and an incident could need to be notified under both it is at least conceivable that a failure could lead to fines under both the legislation implementing the NIS Directive and the GDPR and therefore a total penalty in excess (and potentially significantly so) of the maximums under each.
Of most interest perhaps is the number of OES and DSPs which it is anticipated will be subject to the NIS Directive. The Impact Assessment accompanying the consultation attempts to estimate those numbers. In the case of OES the numbers are relatively small given the number of businesses potentially in scope by standard industrial classification:
- It is estimated that there are 19 OES in the drinking water supply and distribution industry out of the 75 in scope; 6 in digital infrastructure out of the 2,035 in scope; 51 in energy out of the 2,155 in scope; 243 in health out of the 37,495 in scope; and 79 in transport out of the 5,960 in scope. However, it is noted that these figures represent the lower bound of companies covered.
- As for DSPs, the impact statement concludes there are currently no search engines (as defined) based in the UK that would be the subject of the NIS Directive. Two online marketplaces have been identified as qualifying but only through internet research and they may ultimately be excluded if after further investigation they are identified as small or micro enterprises or based outside the UK. 169 cloud service providers have been identified.
However, even if service providers are not caught directly by the respective thresholds they may still find themselves subject to the proposed security measures where these are imposed upon them. OES or DSPs which are subject to the NIS Directive and are dependent on external suppliers are obliged to ensure that appropriate measures are employed where third party services are used. They will invariably seek to pass on potential liability for failing to meet the necessary measures.
It should also be noted that:
- For both OES and DSPs only one member state will be responsible for each organisation. Only those that have their head offices in the UK will be regulated by the UK.
- The identification process for OES was not carried out for the banking and financial market infrastructures sectors within scope of the NIS Directive given provisions at least equivalent to those specified in the NIS Directive will already exist by the time it comes into force. Firms and financial market infrastructure within these sectors must continue to adhere to requirements and standards as set by the Bank of England and/or the Financial Conduct Authority. The consultation document confirms that it is the UK Government's intention that on exit from the EU, this legislation will continue to apply in the UK.
The consultation seeks views from industry, regulators and other interested parties by 30 September 2017.