On 7 August 2017, alongside the UK government’s widely-publicised announcement on the implementation of the EU’s General Data Protection Regulation (the GDPR) (covered here), the consultation document for the Network and Information Security (NIS) Directive was also released by the Department for Digital, Culture, Media and Sport.
In contrast to the GDPR, as NIS is a Directive, the government has some flexibility regarding the implementing regulations that will give it legal effect. The purpose of the consultation is to gather feedback on the proposed nature and scope of those regulations.
If the NIS Directive is implemented in accordance with the government’s proposals, operators covered by its scope would be facing fines of up to €20million, or 4% of global turnover, for breaching cyber security standards. The responsibilities for issuing guidance and enforcing standards would fall to a number of sector-specific regulators, although with the NIS Directive due to be implemented by 25 May 2018, operators will be looking for that guidance sooner rather than later, to ensure they are compliant.
As the WannaCry attack highlighted, cyber-attacks do not always involve personal data, and therefore may not come under the remit of data protection legislation.
The Directive aims to ensure that providers of ‘essential services’ and digital services have appropriate protections in place to protect their operations from cyber threats, whatever their nature.
What are “essential services” and digital services”?
The “essential services” identified by the Directive are:
- Energy: electricity, oil and gas;
- Transport: air, rail, water and road;
- Banking: credit institutions;
- Financial market infrastructure: trading venues, central counterparties; Health: healthcare providers; and
- Water: drinking water supply and distribution.
There is also a separate regime for digital services, including search engines, online market places and cloud computing/storage.
The consultation’s aim is to ensure that only the “most important” operators in each of the essential service categories above are covered by the implementing regulations, apparently in an attempt to avoid excessive regulation, which could be costly to both businesses and regulators. Relative importance is assessed by reference to the potential for a “significant disruptive effect” in the event that an entity’s services are compromised.
A full list of the UK government’s criteria for determining proposed “operators of essential services” (“OES”) is set out in Annex 1 of the consultation document. However, it is notable that banking and financial markets service providers are excluded from the scope of the implementing regulations, as a result of the requirements already in place (or planned) for these institutions from their existing regulators. Digital services providers are also excluded from the definition of OES, as they will be subject to lighter regulation.
Aside from the entities identified by the categories in the consultation, the government will also reserve a right to nominate other entities, where a disruption in their services would present a threat to national security, public safety or it would have a significant adverse social or economic impact.
How will the regulatory regime operate?
One of the big questions answered by the consultation is how compliance with the Directive’s requirements would be regulated. The regime will be supported at a national level by the National Cyber Security Centre (NCSC), which was established in 2016. The NCSC will also act as the UK’s single point of contact for liaison on NIS matters within the EU (as required under the Directive).
However, rather than nominating a single regulator (such as the Information Commissioner’s Office (ICO) as is the case for data protection), the government’s proposal is to give regulatory powers to a range of industry-specific regulators. These include the Departments for Transport and Business Energy and Industrial Strategy, Ofcom and NHS Digital. The ICO will be given responsibility for digital services providers. A full list of proposed regulators (referred to as “competent authorities”) and their responsibilities is set out in Annex 2 of the consultation.
Each competent authority will have responsibility for issuing guidance, setting reporting thresholds and taking enforcement action. While the industry-specific knowledge of each competent authority is likely to valuable in producing applicable guidance, there is a risk that some competent authorities could be perceived to have a ‘lighter touch’ than others.
What standards will apply ?
The high-level requirements in the Directive are for OES to ensure that appropriate measures are taken to manage the risk of a cyber-incident and to minimise the impact if an incident occurs.
Annex 3 of the consultation contains proposals regarding “high level principles”, which would be supported by more detailed guidance, both on a cross-sector basis, but also from the sector-specific competent authorities. The proposed high-level principles contain no surprises, but will require a lot more detail before OES can be certain that they are compliant with requirements. Helpfully, the consultation states that the competent authorities will provide detail on:
- minimum expectations for security;
- “what ‘good’ looks like for each sector”; and
- a framework for assessing compliance with standards.
Competent authorities will also have powers to issue specific, binding guidance to specific OES, even without an incident having taken place (although this will not apply to digital services providers).
The Directive also imposes an obligation to report a cyber incident meeting certain thresholds “without undue delay.” The consultation clarifies that the UK government would see this as meaning “without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of an incident.”
What sanctions will apply?
As was generally expected, the consultation proposes fines that are at similar levels to those under the GDPR. Therefore, the maximum fine for breach of the implementing regulations would be the greater of €20 million, or 4% of global turnover. These fines would apply to failures to implement appropriate security measures.
There will also be a lower category of breaches, for which the maximum fine will be the greater of €10 million or 2% of global turnover, for more minor issues, including failure to report.
The consultation stresses that a security incident will not automatically lead to a fine and that a fine should only be used in circumstances where a competent authority concludes that there was no good reason for a lack of adequate protection. It also notes that the maximum fines should only be levied for the “most egregious incidents”.
What happens next?
The consultation will close on 30 September 2017, and the UK Government has promised to analyse feedback and issue a formal response within 10 weeks of that date (so 8 December 2017).
At present, compliance with the high level principles should be achieved by 10 May 2018, although the detailed guidance from each competent authority is not expected until November 2018.
Looking further forward, while the ultimate effect of Brexit is yet to be seen, the consultation makes it clear that the government “supports the overall aim” of the NIS Directive. This fits with the commitment to cyber security evidenced by the 2016 National Cyber Security Strategy, which will be supplemented where required to fit with the NIS Directive. Accordingly, we expect that Brexit is unlikely to change the new standards of cyber security imposed on OES.
Overlap with the GDPR
The scope of the NIS Directive is both wider and narrower than the GDPR: on the one hand it is not just limited to personal data, yet on the other hand it only applies to certain service providers. For the entities that it affects, it should be equally important. Accordingly, relevant businesses should be addressing NIS compliance alongside their GDPR programmes.