The Department for Digital, Culture, Media & Sport has published the Government's response to the public consultation on the Network and Information Security Directive (NIS Directive). This note highlights the key changes that will impact companies falling within the scope of the NIS Directive.
The sanctions regime has been updated. A single maximum financial penalty of £17m to cover all contraventions is now included. The relevant Competent Authority to companies in each sector will decide on the level of fine for any contravention and shall have a degree of flexibility given to it in deciding what level of fine would be both reasonable and proportionate.
It was noted that there is a distinct possibility of "double jeopardy" to a company that simultaneously contravenes the NIS Directive and other legislation, such as the General Data Protection Regulation. The Government stated there will be encouragement in the legislation for Competent Authorities to work with other relevant regulators in order to seek to address the potential for such "double jeopardy" that might otherwise occur through the doubling up of fines. That being said, the Government has acknowledged that penalisation for the same event under different regimes may be appropriate where penalties "relate to different aspects of the wrongdoing and different impacts". Further guidance is expected to be published on this point before May 2018.
Competent Authority designation
The list of Competent Authorities has been issued, subject to final confirmation, and the distinction between their role and the role of the National Cyber Security Centre has been clarified (please see the consultation response for specific listings).
Who is within the scope?
The definition and identification thresholds of who is within the scope of the requirements of the NIS Directive have been clarified and some thresholds for what constitutes an Operator of an Essential Service (OES) were updated, for example the thresholds applicable to the rail transport sector.
In addition to this, the definition of Digital Service Provider was refined (please see the consultation response for specific sector thresholds).
General principles for security measures
The Government has updated the 14 previously proposed high-level security principles of general application which have been issued to assist organisations in taking appropriate decisions when implementing security measures. The updated principles are still broad, and leave the OES to determine which security measures are appropriate, taking into account the circumstances of that organisation. The updated principles place a greater emphasis on the importance of ensuring that all levels of the organisation understand the risk of cybersecurity and the security measures the OES has in place (please see the consultation response for the list of principles).
The National Cyber Security Centre (NCSC) has published supplementary guidance and we expect that the initial version of the NIS "Cyber Assessment Framework", which is due to be published in Spring 2018, will provide further granularity.
Clarification has been provided as to the obligations on reporting incidents by an OES. The Competent Authority for each sector will be responsible for publishing the relevant incident reporting thresholds before May 2018. We expect the thresholds to be based on:
- the number of users affected by the disruption of the essential service;
- the likely or actual duration of the incident; and
- the area affected by the incident.
All NIS incidents meeting the reporting threshold should be reported to the Competent Authority within 72 hours.
Each OES is responsible for ensuring (through contractual arrangements such as KPIs and auditing rights) that their suppliers have in place appropriate measures. A blanket approach is unlikely to be acceptable. The NCSC guidance warns against forcing all suppliers to deliver the same set of security requirements when it is not proportionate or justified to do so.