The Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU, becomes law in each Member State on 9 May 2018.
In the EU the Network and Information Systems Directive ("NIS") has been in development, largely running in step with the development of the new General Data Protection Regulation. Member States have until 9 May 2018 to transpose the Directive into their national legislation.
Who may be affected in the automotive industry?
The focus of the regulation is on Essential Operators, whose identity remains to be defined by each Member State. While we wait for clarity on that definition the likely areas of the Automotive Sector who will be directly affected, based on the UK government papers, include road authorities who are responsible for roads and operators of intelligent transport systems.
Perhaps a less obvious area where the automotive sector could be identified as an Essential Operator is potentially in the role of digital service provider ("DSP"). While the definition of a digital service provider is part of the process referred to above, it seems likely that it will include the operators of online market places (generally described as operators of platforms that act as an intermediary between buyers and sellers), online sites that redirect users to other services to conclude contracts or facilitate trade between parties and sites that sell directly to consumers.
A third area for consideration is the potential knock-on effect of the NIS regulation for supply chain to Essential Operators. The UK's government published response to consultation in the NIS stated that "there should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service" and reference to "ensuring that appropriate measures are employed where third party services are used". Accordingly, while suppliers to Essential Operators may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator's network and information systems, they will be contractually obliged to comply. It is also to be expected that those suppliers will be required to offer indemnities against breach.
What does the NIS require of Essential Operators?
In essence there two principal focuses of the NIS as it will affect Essential Operators.
Essential Operators will be required to show they have in place appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems manage risks to their network and information systems.
Essential Operators also need to demonstrate they have implemented procedures and practices to enable them to react effectively to incidents. While many businesses should be able to show they have good standards of protection in place it is generally the ability to show efficient response to an incident where attention is urgently required.
To properly address this second facet affected businesses need to be in a position to show a prudent approach has been taken to optimise the ability to respond to incidents. This may include the adoption and maintenance of suitable Cyber-risk policies and procedures; the establishment of incident response plans and response teams; the delivery of network and information system security training; and the periodic testing of systems and planning by penetration testing and incident simulation exercises.
Essential Operators will be also be required to notify the respective government organisation and their relevant competent authority of incidents affecting the security of network and information systems that have a significant impact on the continuity of essential services.
The incidents for notification are not limited to cyber-attacks and can include power outages, system malfunctions and hardware failure. The definition of what will constitute a reportable incident and the time for reporting will be determined by each Member State as part of its adoption of the regulation.
Who will oversee compliance in the transport sector?
It is anticipated that the Governments of Member States will delegate responsibility for overseeing compliance with the Directive to an appointed "competent authority" for each of the essential sectors. In the UK for road transport, this is the Secretary of State for transport operating through the Department for Transport.
What are the sanctions?
The sanctions for failure to comply with the NIS regulation will be set by each Member State and it is in the area of sanctions that we expect to see the widest disparity between the Member States.
For example, in the UK the Government has indicated that the sanction for breach will be a single fine with a maximum tariff of £17m. Whereas in France the government is proposing to adopt a very soft approach on sanctions with fines of between € 75,000 and €150,000 but directed at the directors of Essential Operators as opposed to the Essential Operator companies.
From a jurisdiction point of view we await further guidance but it seems to be the current intention that a commercial organisation will be exposed to sanction in each jurisdiction in which it qualifies as an Essential Operator other than for DSPs where the relevant jurisdiction will be determined by establishing in which Member State their principal place of establishment is.
It is also worth noting that a fine for breach of the NIS regulation will be separate from and may be additional to any fines ordered under the GDPR. This could then mean that an organisation that suffers a cyber-attack whose network and information systems security is found lacking and where the attack results in the loss of relevant data could face a cumulative liability under both the GDPR with its fines of up to €20 million or 4% of annual global turn over and the NIS sanction.