The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has until 9 May 2018 to implement the NIS Directive into its national laws.) The closing date for responses is 30 September 2017, and the consultation is aimed at industry participants, regulators and other interested parties.
Tackling growing cyber risks
As society becomes increasingly reliant on information technology, the potential impact of failure in those systems is also rising. Recent events point towards an increase in the scale, frequency and gravity of cyber attacks. The recent WannaCry ransomware attack illustrates only too well the adverse effects that can result from a security breach.
The European Commission’s aim with the NIS Directive is to increase the security of network and information systems within the EU. The government has announced that it supports that overall aim, and recognises the need to improve the security of UK network and information security systems, with a particular focus on “essential services”. The proposal is that (subject to meeting certain thresholds) service providers operating in the following sectors should qualify as an “essential service”: energy, health, digital and transport (air, road and maritime). Among the NIS Directive’s provisions are a duty for operators of essential services to:
- Take appropriate and proportionate technical and organisational measures to manage security risk; and
- Take appropriate measures to prevent and minimise the impact of any incidents affecting the security of the network and system used to provide the service.