On 6 July the European Parliament approved the Network and Information Security Directive (the “NIS Directive” – aka the ‘Cybersecurity Directive’) which sets out a common framework for EU Member States’ responsibilities and obligations in relation to cyber security.
The cybersecurity threat
Organisations of all sizes are under the constant threat of theft of intellectual property from systems, private data being compromised and leaked online or fraudulent activity taking place using corporate systems or gaining access via so-called ‘social engineering’ attacks.
The UK Government Cyber Security Breaches Survey 2016 Report illustrates the gravity of the cybersecurity risks facing businesses:
- 65% of large firms detected a cybersecurity breach or attack in the last past year;
- 25% of large firms that detected a breach experience at least one per month;
- The average cost of a breach to a large organisation is £36,500;
- Only 13% of all businesses set cyber security standards for their suppliers;
In an increasingly interconnected and interdependent commercial world these risks are faced by organisations across jurisdiction and borders. Recognising this challenge, the ‘Cybersecurity Strategy for the European Union’ and the ‘European Agenda on Security’ have been launched over the last 3 years to rise to these challenges.
The goal of these EU initiatives is to provide the overall strategic framework for the EU approach to cybersecurity and cybercrime and this latest development introduces enhanced responsibilities for essential and digital service providers.
What does the NIS Directive do? The NIS Directive introduces minimum standards and levels of cyber security across EU Member States for certain types of organisations. The NIS Directive will regulate private and public operators of “essential services” in industries like energy, financial services, transport, banking, and water.
The NIS Directive also includes requirements for digital service providers (“DSPs”), such as online marketplaces, online search engines or cloud computing service providers (but not social networks, which were removed from the definition on DSP after appearing in earlier drafts).
Organisations with less than 50 employees are generally exempt from the NIS Directive.
Organisations covered by the NIS Directive will be under an obligation to report any security incidents to the national competent authority setup by the Member State to monitor the application of the Directive. The Directive requires any security incidents which have an “actual adverse effect” on the security of networks and information systems be reported. As a result organisations need to consider and adopt common steps to manage the cybersecurity risk.
What impact will the NIS Directive have on UK businesses?
Key issues for organisations to consider are:
- Security and incidence reporting;
- Voluntary reporting;
- Enforcement and sanctions; and
- Information sharing.
In real terms this will mean further investment in organisational security. Investment will be required in terms of physical IT hardware flowing from the need for improved security policies, practices, monitoring and reporting standards within organisations.
A significant issue for DSPs to consider is the incident reporting requirements and when an incident is considered to have a ‘substantial impact’ on the DSPs services.
Assessing whether or not an incident has a substantial impact will require consideration of the number of people affected, the duration, location and impact on users and the organisation itself. Businesses should therefore ensure they have the monitoring, systems and processes in place to be able to quickly assess the nature of any security incident and have the data and analytics readily available to conclude if an issue will, or is likely to have a substantial impact.
When will the NIS Directive come into force?
The NIS Directive comes into force in August 2016. EU Member States will then have 21 months to implement it through national legislation.
Will the NIS Directive be affected by Brexit?
It is possible that the deadline for Member States to implement the NIS Directive will pass before Brexit takes place. At the time of writing, it is unclear to what extent the UK will continue to legislate in accordance with directives coming from the EU following or in the run-up to Brexit.
However, irrespective of the UK legal landscape post Brexit, as with the forthcoming General Data Protection Regulation (GDPR) businesses in the UK need to be aware of their responsibilities.
This is especially critical for DSPs offering services EU-wide. The NIS Directive requires organisations without a place of establishment in the EU to designate a representative in an EU Member State where it offers services. UK businesses offering services in the EU will therefore continue to be subject to the NIS Directive notwithstanding Brexit.
You can find out more about the practical implications of Brexit on our Brexit Hub.
The NIS Directive will be implemented in the UK by national legislation.
Whilst the Government has not yet published its proposals, there are steps that you can take to prepare for the NIS Directive, such as reviewing your internal security policies to identify potential gaps in your procedures.
The NIS Directive can also be used as a means of opening up a dialogue generally within your organisation around internal security policies, IT security and staff training and the need for further investment in these areas to ensure compliance with the NIS Directive and the GDPR.