On 8 August 2017, the Government launched a consultation on how best to implement the Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU. The NIS Directive will be implemented into UK law in May 2018.
The UK Government has repeatedly declared its commitment to defending the country against cyber threats. As part of that commitment a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of transformational investment. In accordance with the delivery of the strategy the National Cyber Security Centre was opened in February 2017.
In the EU the Network and Information Security Directive ("NIS") has been in development, largely running in step with the development of the new General Data Protection Regulation. Member States have until 9 May 2018 to transpose the Directive into their national legislation. The Member States enactments of the Directive will compel essential service operators develop strategy and policies to understand and manage their risk from cyber-attack; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
On 8 August 2017, the UK Government's Department for Digital, Culture Media & Sport (DCMS) issued a consultation paper seeking to gather views on how best to implement the Directive. The consultation paper provides an insight into the Governments proposals for the impending legislation.
Who will be affected?
Transport has always been identified as an essential sector falling within the scope of the NIS Directive, however the consultation paper has provided greater granularity by proposing a series of thresholds so that the enactment will apply only to "more important operators" in the Transport sector. For the air transport sector the proposed definitions of Operators of essential services are:
- owners and operators of aerodromes with an annual terminal passenger number in excess of 10 million;
- licensed providers of UK en-route air traffic services; and
- Air carriers who have either in excess of 30% of the annual passenger traffic at any single UK airport within the scope of the Directive and more than 10 million annual terminal passengers across all UK airports.
The impact assessment issued by DCMS comments that "only businesses with their head offices in the UK will be regulated by the UK".
In tune with other recent legislation such as the UK Bribery Act 2010 and the Modern Slavery Act 2015 it is expected that operators of essential services will also have a responsibility to drive compliance into their supply chain. The paper states that "there should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service" and reference to "ensuring that appropriate measures are employed where third party services are used". Accordingly, while suppliers to operators of essential transport services may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator's network and information systems, they will be contractually obliged to comply.
What are the key elements for operators of essential transport services?
Security requirements: Operators must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and take appropriate measure to prevent and minimise the impact of incidents. What these broad principles mean in practice is yet to be established. The consultation paper indicates that a series of further guidance will be issued from the Government, the National Cyber Security Centre and the relevant competent authority, which will provide further granularity and sector-specific information and will evolve over time.
Incident reporting: Operators will be required to notify the National Cyber Security Centre and their relevant competent authority of incidents affecting the security of network and information systems that have a significant impact on the continuity of essential services. The incidents are not limited to cyber-attacks and can include power outages, system malfunctions and hardware failure. The consultation process will assist in the definition of what will constitute a reportable incident and the identification of associated thresholds. It is proposed that the time within which a report will need to be made will have a gate of 72 hours from becoming aware of the incident.
The impact assessment issued by DCMS has indicated that compliance with the NIS Directive may place additional burden on organisations that operate transport infrastructure where complex digital systems were installed many years ago.
Who will oversee compliance in the air transport sector?
The Government proposed to delegate responsibility for overseeing compliance with the Directive to an appointed "competent authority" for each of the essential sectors. For Transport, this is the Department for Transport, with some functions being delegated to the Civil Aviation Authority.
What are the sanctions?
While the gestation of the Directive has been in track with the GDPR, the Directive has largely remained in the shadow of the publicity surrounding the penalty regime set out for GDPR. However, in the consultation paper the Government has indicated a desire to mirror the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures. The press release issued by the Department for Digital, Culture, Media and Sport (DCMS) suggests that a fine for breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR. This could then mean that an organisation suffering from a cyber-attack, which results in the loss of both services and data could face a "double liability" of fines of up to €40 million. It is also not clear whether related sanctions imposed by other Regulators will taken into account when determining the sanction for none compliance.
How can Bird & Bird help?
Our cybersecurity team has been deeply engaged in all aspects of cyber since 2010, making it one of the longest established specialist legal teams around.
We firmly believe that cybersecurity challenges can only be met with a multidisciplinary approach: that's why our cybersecurity team is made up of specialists from our tech & comms, commercial, data protection, dispute resolution, corporate, HR and intellectual property groups. But for cyber our multidisciplinary approach goes further; we have longstanding and close relationships with a broad spectrum of forensic IT and cybersecurity consultants, PR agencies, cybersecurity insurers and other relevant experts to provide a holistic response.
Clients turn to us for advice on all aspects of the challenge presented by cybersecurity, from devising and implementing cyber resilience programmes to supporting them with major cyber incidents.
Cybersecurity incidents are always unpredictable: we can help you to mitigate the impact through careful resilience planning, cyber education and cyber incident response practice. But when an event does occur, we understand that it is an emergency and we are well versed in responding accordingly.