On 10 May the Network and Information Systems Regulations 2018 came into force in the UK. These implement the EU NIS Directive, EU-wide rules on cybersecurity. The NIS Directive had to be transposed into Member State laws by 9 May 2018. Many Member States have not met the deadline.
Which companies are caught?
The UK implementing regulations catch two categories of company:
Operators of Essential Services (OESs)
These are companies whose services are essential for the maintenance of critical societal or economic activities in the following areas: energy, transport, health, drinking water, and digital infrastructure (eg domain names service providers). Thresholds for each sector are set out in a schedule to the UK Regulations and companies should use these to determine whether they are caught, contacting the competent authority (who will look at various factors) if in doubt.
An interesting point to note is that the NIS Directive includes banking and financial market infrastructures (FMIs) in this sector list but they are not included in the UK Regulation (see further below).
Digital Service Providers (DSPs)
DSPs are those who provide an online marketplace, an online search engine, or a cloud computing service in the UK. They are relevant where their head office or established representative is in the UK and they are not a micro/small enterprise under Commission rules.
What obligations do the UK Regulations impose?
The UK Regulations provide a national framework for network and information systems security. A minister must publish a national strategy for the sectors above.
They designate national competent authorities for each relevant sector which have certain duties (eg Ofcom for digital infrastructure, and the ICO for digital services).
Points of contact
The single point of contact (SPOC) and the UK’s computer security incident response team (CSIRT) are both designated as GCHQ. The NCSC (UK national cyber security centre) is part of GCHQ.
OESs have certain security duties to manage risks posed to their network and information systems (on which their essential service relies) and must have regard to any relevant guidance.
They must also notify incidents that have a significant impact on the continuity of the essential service they provide without undue delay and in any event with 72 hours from awareness (like GDPR) in the form required by the competent authority. Note that these breaches may or may not involve personal data (and therefore attract the GDPR requirements) and therefore may or may not also require notification to the ICO.
Relevant DSPs must identify and take appropriate and proportionate measures to manage the risks posed to the security of the network and systems on which they rely to provide the digital services. They must also register with the Information Commissioner (by 1 November 2018 or 3 months after being caught by the Regulations).
Relevant DSPs must notify the Information Commissioner of any incident which has a substantial impact on the provision of any of the digital services it provides – without undue delay and within 72 hours of awareness. This only applies if they had access to sufficient information to assess this. Again the incident may or may not involve personal data. The ICO may inform the public in certain circumstances.
Penalties for failure to comply
Powers of enforcement and penalties are set out in the UK Regulations including fines (where the OES or DSP failed to comply with an enforcement notice).
Interestingly, despite earlier indications, the UK government has moved away from applying the very high potential fines linked to percentage of turnover that the GDPR has. Instead, there is a sliding scale of fines depending on the severity of the contravention with the highest being £17 million for a material contravention which caused/could cause an immediate threat to life or significant adverse impact on the UK economy.
A fee is payable to a competent authority to recover the reasonable costs they incurred in carrying out a NIS function (such as carrying out an inspection) in relation to that company.
Why banking and FMIs were included as OES sectors in the NIS Directive but have not been included in the UK Regulations
Under the NIS Directive Article 1(7), “Where a sector-specific Union legal act requires operators of essential services or digital service providers either to ensure the security of their network and information systems or to notify incidents, provided that such requirements are at least equivalent in effect to the obligations laid down in this Directive, those provisions of that sector-specific Union legal act shall apply.”
DCMS consider that these sectors are adequately covered in the Financial Conduct Authority requirements and standards and have stated that firms in those sectors must continue to adhere those requirements.
The approach to the possibility of double fines for the same breach
One of the concerns raised has been the possibility of being fined twice for the same breach under different regimes. DCMS responded to this concern in January in its response to the consultation responses:
“The Government understands the perceived concern over double jeopardy, in particular in relation to the General Data Protection Regime (GDPR). The Government agrees that Operators and Digital Service Providers should not be tried for the same offence twice, but notes that there may be reason for them to be penalised under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts. This will apply not just to GDPR but other sectoral and national legislation such as safety legislation or service commitments.
The Government does not believe that ‘double jeopardy’ can be completely removed, without undermining either the NIS Regulations or other UK legislation.”
In order to take these considerations into account, the UK Regulations do encourage competent authorities to consult and cooperate with other regulators (in the UK and other Member States) which could include discussing what approach to take where different regimes apply. However, it is clearly possible to be fined twice for the same event.