The NISR (Network and Information Systems Regulations), which came into force on 9 May 2018, are designed to protect the critical national infrastructure of EU countries in the event of a cyber attack. These regulations have been largely overlooked to date, as many organisations find themselves spending all of their time and money on dealing with GDPR. These regulations impact two key categories of organisations: Operators of Essential Services (OESs) and Digital Service Providers (DSPs).
What does this mean for companies in the energy sector?
Organisations will fall within the definition of an OES if they meet certain thresholds, namely:
- for electricity generators, it is based on having a generating capacity greater or equal to 2GW, including standalone transmission connected generation and multiple generating units with a cumulative capacity greater or equal to 2GW;
- for energy distribution and transmission network operators, it is based on the potential to disrupt supply to greater than 250,000 consumers; and
- for energy supply businesses it is based on the use of smart metering and the potential to disrupt supply to greater than 250,000 consumers.
The principal requirements on an OES is to demonstrate that it has taken appropriate and proportionate measures to manage the risks posed to the security of its network and information systems, and that it has such measures in place to prevent and minimise the impact of such an incident. Compliance is measured by reference to fourteen security principles contained in the NIS Directive. In connection with this, the National Cyber Security Centre (NCSC) has now published the first Cyber Assessment Framework (CAF), a tool enabling assessment of OES to determine the extent to which they are compliant with the fourteen security principles outlined in the NIS Directive. This can be found here.
If you have operations in the EU, you should have recently registered with a local competent authority. In the UK, BEIS acts jointly with Ofgem for downstream electricity and gas, while HSE undertakes compliance and enforcement functions for the oil sector and some sections of the gas sector on behalf of BEIS.
Digital Service Providers
DSPs under the NISR are defined as either a (i) search engine, (ii) cloud computing service, or (iii) online marketplace. A more detailed explanation of this definition can be found here. The definition of cloud computing under NISR appears sufficiently wide to potentially capture a number of energy companies, such as online energy platforms, smart metering companies and aggregators of virtual power plants. In addition to this, providers of virtualised computer resources – Infrastructure as a Service – and providers of cloud storage or email services may also fall within the scope of a DSP. Many energy companies that do not themselves fall within the definition of a DSP will have contracts with DSPs, and may by virtue of these contracts be required to enter into more prescriptive terms and also to update their own systems.
In the UK, if you (i) fall within one of the three categories of DSP, (ii) have a head office in the UK or a nominated UK representative, and (iii) have more than 50 employees and a turnover of more than 10 million euros, then you should have registered with the competent authority - BEIS and Ofgem for downstream electricity and gas - by 1 November 2018. Looking outside of the UK, you can view our tracker to learn more about the jurisdictional differences across the EU.
What do I need to do?
I'm not EU-headquartered, does this still impact me?
Yes: if you are not EU headquartered, but have operations in the EU or provide services to EU-based consumers, you will need to choose an EU jurisdiction within which to register: view our tracker to find out more about the differing penalties in the various jurisdictions.