Today, Thursday 10 May 2018, The Network and Information Systems Regulations 2018 (“Regulations”) enter into force in the UK, implementing the Network and Information Security Directive, and introducing important new security compliance standards for companies and public bodies operating in areas of critical national infrastructure, as well as providers of certain digital services.
The aim of The Network Information Systems Directive 2016 (“NISD”) is to encourage cross-border collaboration between EU Member States in order to ensure a joined-up approach to cyber security to protect essential services and critical infrastructure from cyber-attacks.
The Regulations are concerned with network and systems security. They create a framework for nationally mandating state of the art security requirements for infrastructure operators, and impose reporting obligations in respect of security incidents.
The Regulations, which come into force just a few weeks in advance of the General Data Protection Regulation (“GDPR“) share some common themes with the GDPR, and there are areas of potential crossover. However, the scope of an in-scope organisation’s information impacted by the Regulations is broader than just personal data.
Which Organisations do the Regulations apply to?
The Regulations apply to two types of organisation:
- Operators of Essential Services (OESs)
These are organisations (public or private) within vital sectors that provide services essential to the economy and society which place a heavy reliance on information networks.
The essential services include, amongst others, the provision of transport, health services, the supply of drinking water and the provision of energy etc. Those who operate critical digital infrastructure, such as internet exchange points, domain name system service providers and top level domain name registries are also classed as OESs.
An organisation can be an OES if “an incident affecting the provision of that essential service by that person is likely to have significant disruptive effects on the provision of the essential service.”
The UK has published its list of OESs within the Regulations. Other EU Member States may adopt different interpretations in compiling their lists of OESs.
2. Digital Service Providers (DSPs)
This is an organisation that provides a digital service in the United Kingdom where the head office for that provider is in the UK or that provider has nominated a representative who is established in the UK. It does not include micro or small enterprises.
Digital services mean online market places, search engines and cloud computing services. These are defined terms within NISD which have been mirrored in the Regulations:
- An “online market place” means a digital service that allows consumers and/or traders [ …] to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.
A recital to NISD confirms that price comparison sites are not to be considered as being online marketplaces but that app stores are.
- An “online search engine” means a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.
- A “cloud computing service” means a digital service that enables access to a scalable and elastic pool of shareable computing resources.
DSPs not established in the EU but which offer services within the EU are considered to be within the scope of the Directive and are obliged to “designate a representative” based within the EU to act on its behalf under “written mandate” (which has parallels with the representative regime which non-EU organisations considering GDPR compliance will be grappling with).
Recitals to the Directive explain in more detail the circumstances in which non-EU established DSPs would be considered to be ‘offering services within the Union’.
Both OESs and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems.
These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed (again, language which will be familiar to those acquainted with the GDPR).
Who are the UK Regulators?
The OESs and DSPs will be regulated by their relevant Competent Authority (CA).
The UK has published, in the Regulations (at Schedule 1), its list of CAs in respect of the OESs, which are sector specific. For example, the Secretary of State for Health (supported by NHS Digital) will be the CA for the healthcare sector, and Ofcom will be the CA for the telecoms sector.
The Information Commissioner’s Office (ICO) will be the CA in respect of the DSPs.
What should be reported to the Regulator?
An OES must notify their designated CA “about any incident which has a significant impact on the continuity of the essential service which that OES provides”.
In order to determine the significance of the impact of an incident an OES must have regard to the following factors:
(a) the number of users affected by the disruption of the essential service;
(b) the duration of the incident; and
(c) the geographical area affected by the incident.
A DSP must notify the ICO “about any incident having a substantial impact on the provision of any of the digital services […] that it provides.” The requirement to notify is only if the DSP has access to information which enables it to assess whether the impact of an incident is substantial.
In order to determine whether the impact of an incident can be determined to be ‘substantial’, the DSP must take into account:
(a) the number of users affected by the incident;
(b) the duration of the incident;
(c) the geographical area affected by the incident;
(d) the extent of the disruption to the functioning of the service; and
(e) the extent of the impact on economic and societal activities.
It must also assess whether at least one of following situations has taken place:
(i) the service provided was unavailable for more than 5,000,000 user-hours;
(ii) the incident has resulted in a loss of integrity, authenticity or confidentiality of data or related services affecting more than 100,000 users in the EU;
(iii) the incident has created a risk to public safety, public security or of loss of life;
(iv) the incident has caused material damage exceeding EUR 1,000,000 to at least one user in the EU.
Currently, the position appears to be that companies operating in a number of Member States should notify the appropriate local CA for each country. Further guidance is expected from the Cooperation Group.
The maximum financial penalty for breach of the Regulations will be GBP 17,000,000.
This will cover all contraventions, such as failure to cooperate with the relevant CA, failure to report a reportable incident, failure to comply with an instruction from the CA and failure to implement appropriate and proportionate security measures.
It will be possible to be fined under both the Regulations and the GDPR for the same incident (so-called ‘double jeopardy’) provided there are distinct bases for doing so (i.e. there is a breach of data protection law, and a separate breach of the Regulations).
What Role will the National Cyber Security Centre play?
The National Cyber Security Centre (NCSC) (part of GCHQ) will not regulate the Regulations; its role is to provide technical support and guidance.
It has three supporting roles in respect of the Regulations:
- Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
- Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified / suspected of having a cyber security aspect.
- Technical Authority on Cyber Security – to support OESs and CAs with advice/ guidance and act as a source of technical expertise.
The Use of Outsourcing / Third Party Suppliers
If an organisation relies on third parties (such as outsourced or cloud based technology services) it remains accountable for the protection of any essential service. When entering into contracts with service providers, it is essential to flow down terms which reflect the security measures required in the Regulations.
The OES must be confident that all relevant security requirements are met regardless of whether the organisation or a third party delivers the service.
Therefore, a number of specific supply chain related security considerations should be addressed, where relevant, to the provision of the essential service. This might include:
- Ensuring that data shared with a third party is protected, for example, from actions such as unauthorised access, modification, or deletion that may cause disruption to the essential services;
- Effectively specifying the security properties of products or services procured from a third party that are important for the protection of the essential service;
- Ensuring that any network connections or data sharing with third parties do not introduce unmanaged vulnerabilities that have the potential to affect the security of the essential service; and
- Having confidence that third party suppliers used are trustworthy so malicious attempts to subvert security of products or systems that could affect the essential service are managed properly
Advice on supply chain security can be found on the NCSC website.