Today marks the adoption by each Member State of the European Union of an important piece of EU legislation, the Network and Information Systems Directive (NISD). This legislation responded to a drive to develop a common approach across Europe to address the potential for socio-economic damage caused by attacks on the network and information systems of operators of essential services. Watch Simon Shooter's previous overview video here and find out why this isn't just another piece of legislation here.
Who does it impact?
The key parties affected by NISD are the Operators of Essential Services (OES) and Digital Service Providers (DSPs). For the UK in general terms we can expect the following to be OES:
- Providers of drinking water to more than 200,000 people
- Electricity, Oil and Gas providers, distributors and system operators
- Digital Infrastructure operators – domain registries, domain name service providers, internet exchange operators
- Health care providers
- Transport operators – Air, Maritime, Road and Rail
DSPs are operators of:
- online marketplaces
- online search engines
- providers of cloud services.
If you're unsure what exactly a DSP is or whether your business might be categorised as one for the purposes of NISD you can find out more by reading our previous article here and watching our video here.
Other parties who need to be aware of NISD are suppliers to OES and DSPs. A clear focus is placed on OES and DSPs having responsibility for ensuring that their supply chain have appropriate measures in place and those are inevitably going to track the measures outlines in NISD related guidance. Watch our video here.
What exactly will these essential operators and DSPs need to do to demonstrated they are compliant? And what are the sanctions for non-compliance?
OES and DSPs must demonstrate they have appropriate and proportionate security measures in place to manage the risks posed to their network and information systems; demonstrate they have appropriate measures in place to prevent or minimise the impact of incidents affecting the security of their systems; and be ready to report significant incidents to their relevant competent authority.
For more information, watch Simon's video here.
Will the adoption of NISD vary from one jurisdiction to the next?
As NISD is a directive, rather than a regulation. Accordingly, Member States have discretion as to how they will adopt the directive into their national law. That includes determining who qualifies as OES and DSPs and setting the sanctions for non-compliance. Sanctions vary from one jurisdiction to the next. For example, the ultimate sanction in the UK a breach of the regulation company is a corporate fine of up to £17m. In France, however, the approach is different, with company directors looking at personal fines of up to €120,000. Watch our video to find out more.
If you are unsure whether you may qualify as an OES in more than one Member State and how your business will be affected, you can refer to Bird & Bird's handy country by country guide to NISD here.
Does this require a lot of work? If I haven't done anything yet is it too late to start?
The good news is that much of the building blocks for compliance should already be in place and the additional work should not be too time consuming or difficult. When it comes to demonstrating an appropriate and proportionate security measures in place, businesses need to conduct an assessment of their networks and information systems, evaluate current security methods, practices and security assets and adopt a governance methodology that demonstrates they are regularly reviewing and improving their approach. Businesses may find it more challenging to demonstrate they are prepared to address a cyber incident. However, getting match fit for this aspect should not be overly expensive or time consuming. Businesses need to formulate incident response plans; agree and align response teams; put in place communication plans; educate staff; and test and rehearse plans, just as they would a fire drill.
Finally, on reporting, businesses must come up with a fit-for-purpose methodology to ensure significant incidents can be reported to the relevant authorities. More information on how to get started and who to involve, watch our video here.
There is also time to put measures in place. There is likely to be a period of up to a year allowed for those affected to get their houses in order before enforcement is expected.
When will we know more?
The final definitions by each Member State of OES and DSPs are expected by November 2018 and we expect government and competent authority guidance by the end of the year. Watch our video here.