The UK government has published its response to a public consultation on the EU Directive on security networks and information systems (NIS Directive) that opened in August last year. The response sets out the UK’s vision for improving the security of the UK’s essential services by implementing the NIS Directive.
The NIS Directive
The NIS Directive provides legal measures to increase the overall level of network and information system security in the EU by: establishing national frameworks to promote the security of network and information systems; setting up a cooperation group to facilitate strategic cooperation and information exchange, and a Computer Security Incident Response Team (CSIRT) network to promote cooperation on specific security incidents; and ensuring the security framework is applied effectively across vital sectors.
Businesses in vital sectors will have to take appropriate and proportionate security measures to manage risks to their network and information systems. Operators of essential services are also required to notify serious incidents to relevant authorities. Key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with security and incident notification requirements established under the NIS Directive.
The consultation response offers some insight into the as yet unpublished UK implementing legislation for the NIS Directive, particularly in relation to the National Cyber Security Council (NCSC), operators of essential services, digital service providers and interaction with the General Data Protection Regulation (GDPR).
National Cyber Security Council
The NCSC remit will be to provide support, expert advice and incident response assistance, and to develop cybersecurity guidance and standards, as well as holding an advisory role in relation to UK CSIRTs. The NCSC is unlikely to have any regulatory or enforcement functions.
Operators of essential services
In Annex 1, the response lists essential services and identification thresholds. It includes entries for drinking water supply and distribution, energy, digital infrastructure, health and transport. The response also clarifies that each competent authority will have the power to designate operators of essential services, investigate incidents, notify the public and either audit or require an audit of operators.
Digital service providers
Digital service providers will include software-as-a-service providers, online marketplaces (platforms acting as an intermediary between buyers and sellers, facilitating the sale of goods and services), online search engines and cloud computing services. Digital service providers are required to report substantial incidents to their relevant CSIRT (the NCSC in the UK), “without undue delay” and in a manner that allows the CSIRT to determine if there has been any cross-border impact.
Interaction with the GDPR and penalties
The UK acknowledges the overlap between the NIS Directive and the GDPR and the government intends that the two should run in harmony as much as possible.
Businesses have previously expressed concern about being fined twice, under the two separate pieces of regulation, for the same incident. The government has noted these concerns, but also highlighted that there could be valid grounds for fining an organisation twice if the incident in question related to different aspects of the wrongdoing. The implementing legislation with encourage competent authorities to work together to promote consistency and ensure that any penalties are reasonable, appropriate and proportionate and take into account mitigating factors, with the objective being that penalties are a ‘last resort.’
Because of the link with the GDPR, penalties, however, for the most severe cases could be a maximum of £17 million.
The response is clear that there will be further guidance issued before May 2018, including pieces on the role and responsibilities of competent authorities, incident reporting and reporting thresholds. The NIS Directive was adopted by the European Parliament on 6 July 2016. Member States have until 9 May 2018 to transpose the NIS Directive into domestic legislation. The UK should be publishing draft legislation in the short term if it is to meet the 9 May deadline.