The UK Government Department for Business, Innovation and Skills (BIS) has issued an impact assessment (IA) at the end of September on the draft Network and Information Security Directive (the Directive) proposed by the European Commission on 7 February 2013. The Directive aims to achieve a common high level of network and information security across the EU to harmonise existing discrepancies between national strategies.
To achieve this, the proposed Directive mandates:
- All Member States must within one month establish competent authorities for network and information security and set up national Computer Emergency Response Teams (CERTS)
- A cooperation network must be set up between competent authorities enabling secure and coordinated information exchange as well as an early warning system to allow effective detection and response in relation to network information security incidents
- A culture of risk management and information sharing between private and public sectors must be developed
- A system of reporting to the relevant competent authority of any incidents seriously compromising an entity’s networks and information systems must be established
- National competent authorities must impose sanctions, initiate audits and publicise incidents
To assess the impact this Directive could have in the UK, BIS initiated a call for evidence on 22 May 2013 to create a baseline. It was found at present £1.98 billion is spent on security annually. Large organisations spend £1.45 billion in total with an average each of £540,000, whilst SME’s account for £533 million each averaging £26,000. The potential impact of the Directive is estimated as follows:
- 22,935 businesses in the UK will be affected
- Additional security spending will amount to between £992.1 million – £1,984.2 million
- Large organisations will have to increase average spending by an extra £270,000-£540,000, whilst small organisations will have to increase average spending by an addition £13,000-£26,000
- An overall benefit of £860.6 million is estimated if 5,000-10,000 of effected UK organisations can achieve benefits of £27,000 by preventing 50% of cybersecurity incidents
Beyond the figures, the IA also highlights some key concerns:
- By setting a minimum level across the EU this could result in a tick box approach to compliance
- In many sectors, reporting infrastructures already exist with industry regulators. Additional reporting obligations could lead to duplication of procedure increasing the administrative burden and causing resources to be diverted to dealing with compliance.
- The scope of business likely to be effected is overly expansive and could impose disproportionate obligations on small businesses
- Imposing mandatory reporting obligations as opposed to the voluntary approach could create a compliance culture discouraging information sharing
- Audits, sanctions and publication of breaches could penalise organisations with strong capabilities for detecting breaches and discentivize reporting
- Establishing a new national competent authority could be costly and unnecessary
- A Pan European response framework is likely to inhibit and slow down effective national measures for incidents
- Significant security risks are inherent in greater information sharing between national competent authorities poses
This being said, BIS are hopeful that the Directive will prove flexible in approach and deem existing voluntary measures and the existing high level strategy in the UK as sufficient. However, until the scope and thresholds under the Directive are confirmed, it is only possible to speculate how costly its impact could be.