The UK government confirms potential fines of up to 20 million euros in its response to the Network and Information Systems Directive public consultation.

With various cyberattacks making the headlines in 2017, such as the NHS WannaCry ransomware attack and threats from state-sponsored hackers, cybersecurity is on the global political agenda. The Network and Information Systems Directive (NIS Directive), due to be implemented into national law across Europe in May 2018, is a key part of the European legislative package to implement a baseline for cybersecurity across member states.

The UK government has confirmed that, regardless of Brexit, it will be implementing the NIS Directive into UK law. It recently published its response to public consultation (in January 2018). To catch the attention of organisations whose activities fall within the scope of the directive, the government confirmed fines of up to 20 million euros for non-compliance.

Increase of security

The NIS Directive requires that operators of ‘essential services’ will need to increase the security of network and information systems. As with other legislation (such as the Bribery Act 2010 and Modern Slavery Act 2015), there will be an onus on providers to ensure compliance through their supply chains.

In its consultation paper the government announced that it had refined identification thresholds, so that they are clearer in order for companies to identify with certainty whether they are in scope of the directive. Annex 1 of the consultation paper includes details of essential services and identification thresholds for each sector (including digital infrastructure, energy, water and transport) within scope.

To satisfy obligations relating to security, operators of essential services must:

  • ensure that appropriate and proportionate technical and organisational measures are taken in respect of managing any risks to network and information systems
  • report incidents which affect the security, provision, confidentiality and integrity of the service, having a “significant impact of the continuity of essential services”, with operators expected to be given 72 hours for incident reporting.

Supervisory cybersecurity powers to competent authorities

The government proposes to delegate supervisory cybersecurity powers to ‘competent authorities’ such as the Department for Business, Energy and Industrial Strategy. These powers are to include designating the individual operators of ’essential services’, publishing guidance, auditing operators, investigating the causes of an incident, notifying the public about an incident and having sole responsibility for enforcement.

The National Cyber Security Centre will continue to be the UK’s centre of excellence for all cybersecurity matters, publishing guidance and assessment tools to support authorities and operators. It will also assume responsibility for providing a ‘computer security incident response team’ which (in co-operation with other European national response teams) will monitor incidents at a national level, provide alerts and respond to threats.

Fines for non-compliance

Following significant feedback during consultation on the government's initial proposal of potential fines of up to 20 million euros or 4% of global turnover, whichever is higher, the percentage of global turnover element has been removed. The government's revised proposal is an upper limit of 20 million euros to cover all NIS Directive contraventions.

It may be possible for an operator to be fined under the NIS Directive and the incoming General Data Protection Regulation (GDPR) for the same event, as 'the penalties might relate to different aspects of the wrongdoing and different impacts’, highlighting the paramount importance of ensuring appropriate organisational security. The sanctions regime under GDPR has attracted significant amounts of attention in the run up to the 25 May 2018 implementation date.

When to take action

In its response to its consultation, the government has stressed that operators “will be given the time to implement necessary security measures”. However, operators are expected to have begun reviewing their existing cybersecurity capability in order to understand where further work is required and are directed to the National Cyber Security Centre’s Cyber Assessment Framework as the basis of such assessments. In light of the limited time between now and 9 May 2018, when the NIS Directive is to be implemented – and in light of the parallels with GDPR – affected organisations should start taking action now.