To keep up with technological changes, the EU has raised the standards for digital network security. The Network and Information Systems (NIS) Directive took effect in the on 10th May 2018 and applies to digital networks and infrastructure used for a wide range of day-to-day activities.
The Directive’s Aims
The EU recognised that the digitisation of many essential every-day services, such as health care and air travel, leaves them exposed to hackers and power and hardware failures; however, “Member States have very different levels of preparedness, which has led to fragmented approaches across the Union.”
The NIS Directive attempts to harmonise and strengthen the security of these digital systems. Since discussions on the Directive between the European Commission and Member States began, the need for such a Directive has been exemplified by attacks on: (i) Ukraine’s electricity network; (ii) the WannaCry attack which caused chaos in the NHS; and (iii) the Spectre and Meltdown vulnerabilities which compromise the security of computer chips.
Who Will it Impact?
The Directive’s definition of a network and information system covers the vast majority of private networks that transmit signals by mobile, radio, Internet, television and satellite. However, the Directive’s scope is narrowed to “operators of essential services” (OESs) and “digital service providers” (DSPs).
A relevant DSP or “RDSP” is a newly defined type of digital service povider. For an organisation to be an RDSP it must provide one of the following services: online search engines, online marketplaces or a cloud computing providing (IaaS or SaaS). RDSP must also have their head office in the UK or have nominated a UK representative.
OESs are organisations that work inside the EU whose operations are essential in the maintenance of critical societal or economic activities, such as energy and electricity, transport, water, health and digital infrastructure. They must meet certain thresholds set by each Member State, for instance water suppliers must supply water to 200,000 people or more. Moreover, operators are not responsible for any non-essential services which they also happen to provide; this means that OESs such as airports, while responsible for displaying flight information, will not be responsible for any shopping areas they provide.
Some organisations and sectors are exempt from the Directive altogether, where existing regulations are as strong as the NIS Directive’s specifications, for instance in finance where FCA regulation is currently deemed adequate and civil nuclear sectors. RDSPs are exempt where it has fewer than 50 employees or a less than €10 million balance sheet / turnover.
OESs and RDSPs must take appropriate and proportionate security measures to manage risks and to prevent and minimise the impact of incidents. To expand on this requirement, the government has published a list of 14 high level principles; however, each operator is left to determine exactly what is appropriate and proportionate for their own business.
The NCSC formulated a National Cyber Assessment Framework (CAF), as required by the Directive, which is based on the 14 principles. The CAF enables lead government departments, regulators and industry to assess the adequacy of an OES’s management of cyber security risks. It includes indicators of good practice which revolve around each principle.
The government have set some specific requirements. OESs and RDSPs must report all incidents to the relevant competent authority (CA), who are the chief regulators of the Directive, within 72 hours. This is in keeping with the timescale of the GDPR. They will also be responsible for ensuring third party organisations in their supply chain comply with required standards.
The government have also mandated fines for infringements. The legislation transposing the Directive contains a sliding scale: At one end, fines of up to £1 million may be applied for breaches which aren’t capable of causing an incident; and at the other end, £17 million may be applied for breaches that have or could cause an incident resulting in an immediate threat to life or a significant adverse impact on the economy.
CAs will determine the category of infringement. In the UK’s case, there will be multiple CAs: mostly government departments working alongside sector regulators. RDSPs, however, will be under the sole authority of the Information Commissioner’s Office. In addition to issuing fines, CAs can designate, direct and audit operators of essential services; publish guidance; and investigate incidents.
The government have also appointed GCHQ to be the UK’s Computer Security Incident Response Team (CSIRT). CSIRTs play a crucial role in supporting OESs and RDSPs manage risks, and in enabling Member States to cooperate, support and exchange information with each other.
Interplay with GDPR
The issue of fines has proved controversial. Many organisations fear what might amount to “double jeopardy,” if they are fined more than once under the NIS Directive and the GDPR. During consultation, the government listened to some of industry’s concerns with these fines and dispensed with fines that accounted for an organisation’s global turnover. The However, in principle, the new regime of NIS Directive and GDPR raises an organisation’s potential liability by a factor of 68: from £500,000 under the Data Protection Act 1998 to potentially a combined £34 million under the GDPR and the NIS Directive.