Despite the apparent focus on “essential systems”, the new rules are broader in scope than you might think and will require many organisations to review their approach to cyber-security.
In light of the increasing number of global cyber-attacks which cause havoc to the economy and society, the European Commission agreed in December 2015 its proposals to increase online security through a set of EU-wide rules on cyber-security – the Network and Information Systems EU Directive. The aim of the Directive is to ensure that critical IT infrastructure, in key sectors of the economy across the EU, is protected from cyber-security threats.
The Government recently carried out a consultation on how best to implement the Directive in the UK. The Government’s formal proposals are expected before the end of the year.
Implementation of the Directive forms part of the UK Government’s £1.9 billion, five-year National Cyber Security Strategy, published in November 2016.
The Directive focuses on “essential systems” such as energy, health, banking and financial markets, transport, water and digital infrastructure. It is intended to minimise the considerable impact of cyber- attacks on critical areas of the economy. Key businesses in these sectors, referred to as “operators of essential services”, and key digital service providers are subject to the legislation.
Operators of essential services must take appropriate and proportionate security measures to manage risks, and report serious incidents to the relevant authority. The security incident notification obligations also apply to key digital service providers (such as search engines, cloud computing services and online marketplaces).
A primary purpose of the Government’s consultation was to consider what businesses should qualify as “operators of essential services”. The onus is on the UK to identify its operators of essential services, and the Consultation itself to set out various proposed thresholds to invite comments on this aspect.
Only operators with head offices in the UK must comply with implementation legislation (to prevent confusion over multiple national regulations across the EU). As with the General Data Protection Regulation (GDPR), organisations offering services in the EU but headquartered outside it will need to appoint an EU representative, which may lead to forum shopping.
What are the key issues?
- Implementation date. The Directive must be transposed into national laws by 9 May 2018. The UK Government has confirmed that it will implement the Directive, regardless of Brexit.
- Identify whether your organisation might be in scope. We will probably need to wait until the Government publishes its formal proposals before we know exactly which organisations are in scope.
- Note the sub-contractor flow-down. Businesses that are not caught as “operators of essential services” but provide outsourced services or IT may be indirectly subject to the Directive as the obligations are likely to flow down the supply chain. This is due to an obligation on operators to ensure “that appropriate measures are employed where third party services are used”.
- As an organisation, are your security measures up to scratch? Ensure your organisation has appropriate measures in place to manage security risks and report serious incidents. Your security measures should be sufficiently robust to comply with potential requirements under the NIS Directive and GDPR.
- Clarity required around the term, “appropriate security measures”. Further guidance from the Government, the National Cyber Security Centre and competent authorities in essential sectors is expected..
- Serious penalties for serious breaches. Organisations caught by the scope of the Directive may face fines of up to €20 million – or 4% of global turnover – (whichever is higher) for serious breaches of cyber-security standards. The power to fine mirrors that under GDPR. It has been suggested that fines under the Directive will be separate from those under GDPR, raising the question of whether there is scope for double liability for victims of cyber-attacks that result in loss of service (NIS Directive) and loss of data (GDPR).We need further clarification on several points, including what security measures would be considered “appropriate” (a point on which we also await further guidance under GDPR). However, with less than eight months to go until the NIS Directive and the GDPR come into force, organisations should be looking at what security measures they have in place to ensure that they are ready by May 2018.
Claire Shepherd-Malins is a Senior Solicitor at Brodies LLP