The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public consultation in August 2017see our recent blog on this here.

The targeted consultation received 12 responses that largely showed support for the government’s overall approach. Concerns were expressed, however, regarding the uncertainty over who falls within NISD’s scope and the subject of costs recovery.

As the Network and Information System Regulations 2018 (the NIS Regulations) are already in force, the targeted consultation process will be used to assist the Information Commissioner’s Office (ICO) in providing updated guidance to DSPs. The government’s response, therefore, provides a useful insight into the future guidance on this topic, which will directly affect the regulation of DSPs in the UK.Continue Reading The UK responds to NISD consultation

The UK government has published its response to a public consultation on the EU Directive on security networks and information systems (NIS Directive) that opened in August last year. The response sets out the UK’s vision for improving the security of the UK’s essential services by implementing the NIS Directive.

The NIS Directive

The NIS Directive provides legal measures to increase the overall level of network and information system security in the EU by: establishing national frameworks to promote the security of network and information systems; setting up a cooperation group to facilitate strategic cooperation and information exchange, and a Computer Security Incident Response Team (CSIRT) network to promote cooperation on specific security incidents; and ensuring the security framework is applied effectively across vital sectors.

Businesses in vital sectors will have to take appropriate and proportionate security measures to manage risks to their network and information systems. Operators of essential services are also required to notify serious incidents to relevant authorities. Key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with security and incident notification requirements established under the NIS Directive.Continue Reading UK government publishes response to its consultation on the Directive on security of networks and information systems

The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).

The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.

While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.

Background

The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:

  • Cloud service providers
  • Online market places
  • Search engines

The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).

Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP.
Continue Reading ICO publishes response to consultation on European Commission’s implementing regulation to the NIS Directive

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has until 9 May 2018 to implement the NIS Directive into its national laws.) The closing date for responses is 30 September 2017, and the consultation is aimed at industry participants, regulators and other interested parties.

Tackling growing cyber risks

As society becomes increasingly reliant on information technology, the potential impact of failure in those systems is also rising. Recent events point towards an increase in the scale, frequency and gravity of cyber  attacks. The recent WannaCry ransomware attack illustrates only too well the adverse effects that can result from a security breach.

The European Commission’s aim with the NIS Directive is to increase the security of network and information systems within the EU. The government has announced that it supports that overall aim, and recognises the need to improve the security of UK network and information security systems, with a particular focus on “essential services”. The proposal is that (subject to meeting certain thresholds) service providers operating in the following sectors should qualify as an “essential service”: energy, health, digital and transport (air, road and maritime). Among the NIS Directive’s provisions are a duty for operators of essential services to:

  1. Take appropriate and proportionate technical and organisational measures to manage security risk; and
  2. Take appropriate measures to prevent and minimise the impact of any incidents affecting the security of the network and system used to provide the service.

Continue Reading UK government posts new NIS Directive consultation addressing cybersecurity threats

On 5 July, the European Commission (“EC”) published a communication outlining measures to improve resilience to cyber incidents, improve cooperation and information sharing, and promote innovation and competition in the European cybersecurity industry.

 

The communication highlights the EC’s intention to take cooperation, knowledge, and capacity to the next level, particularly through the imminent introduction of