Progress on the Data Protection Bill
The UK's Data Protection Bill (DPB) is still progressing through Parliament but is on track to become law in May 2018. Since we wrote about the draft, the Bill has progressed to its near final stages. A number of amendments have been tabled, including a much requested one to include an exception in relation to processing personal data for insurance purposes.
The ICO has also published an introduction to the DPB. The ICO will publish more detailed guidance once the DPB has been enacted. This initial introduction serves mainly to set out the structure and content of the draft legislation. The introduction is long but quite helpful as it sets out the effect of the various sections of the Bill, the extent to which it represents a change, and the reason the change is required. It also clearly sets out the derogations under the GDPR at a high level. As the DPB is still in draft form, this is not definitive and it remains to be seen whether it sits alongside or is replaced by the planned guidance.
Progress on NISD
The Network Information Systems Directive (NISD or the Cybersecurity Directive), must be implemented into Member State law by 9 May 2018. The UK government is yet to publish its implementing Regulations. The government has published the response to its consultation which gives more detail as to how it is planning to implement NISD. At the same time, the National Cyber Security Centre (NCSC) has published more information about its role and initial guidance. The government is also now consulting on the application of NISD to Digital Service Providers (DSPs).
The Cybersecurity Directive is relevant to you if you are an Essential Service provider or if you are a Digital Service Provider i.e. an online marketplace, an online search engine or a cloud services provider (unless you are subject to sector specific regulation in this area). This is a minimum harmonisation Directive which means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their "main establishment".
Who has to comply with NISD?
The primary concern for those who think they might be caught by NISD centres on the definitions of an Operator of Essential Services (OES), and Digital Service Providers (DSPs).
- OESs – the government has been refining the identification thresholds used to define who is in scope to make them clearer and help companies understand whether they need to comply. The revised thresholds are in Annex 1 of the response to the consultation.
- DSPs – the government recognises that defining DSPs "continues to be a challenge" but intends to limit the scope of those who have to comply with NISD to "those companies whose loss of service could have the greatest impact on the UK economy, either directly or through impact on other companies". This will include Software as a Service companies but excludes micro and small businesses. The implementing Regulations will mirror the wording of NISD but guidance will be used to add flesh to the bones of the definitions (see below for full details).
There has been a lot of concern around the potential for 'double jeopardy' in terms of fines under NISD and the GDPR. The government confirms that it intends to amend the proposed penalty regime to introduce a maximum financial penalty of £17m for all contraventions under NISD. It cannot, however, remove the possibility of additional sanctions relating to different aspects of wrongdoing under other applicable law, including the GDPR.
Note that NISD will not apply directly to suppliers to OES's or DSPs and enforcement will not take place down the supply chain. OESs and DSPs will be responsible for ensuring that their suppliers have appropriate measures in place to ensure they are compliant.
Competent Authorities (CAs) will be required to take a reasonable and proportionate approach to enforcement. The government recognises that the process of improving network security will take a number of years and is anticipating a collaborative approach by stakeholders.
OESs will be given time to implement the required security measures, and the main priority of CAs in the first year will be information gathering. OESs will be expected to begin analysing their existing systems and security in order to assess what needs to be done.
The government clarifies that CAs will publish incident reporting thresholds. Reporting timeframes will mirror those under the GDPR, i.e. "without undue delay and, where feasible, no later than 72 hours after having become aware of the incident".
Incident reporting under NISD focuses on interruption to service. Under Article 14(3), an OES must notify either their CA or Computer Security Incident Response Team (CSIRT) of "incidents having a significant impact on the continuity of the essential services they provide". DSPs are required under Article 16(3) to notify either their CA or Computer Security Incident Response Team (CSIRT) of "any incident having a substantial impact on the provision of a service…that they offer within the Union". An incident is "any event having an actual adverse effect on the security of network and information systems".
Incident response will be separate from incident reporting. All NIS incidents will be reported to the relevant CA who will log the incident and decide whether follow up investigation is required. Voluntary reporting can be made to either the CA or the NCSC. Incident response support on cyber related incidents (e.g. DDoS attacks, malware, hacking) will be provided by the NCSC where required. CAs or possibly the relevant Lead Government Department, will provide support for non-cyber or resilience incidents (e.g. hardware failure, fire, physical damage).
Are you a DSP?
DSPs are likely to have to register with the ICO under current proposals. The government intends to provide the following clarifications through guidance as to the kind of organisations that will be treated as DSPs under NISD.
- An online marketplace should be defined as a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods or services, i.e. a service that enables consumers and traders to conclude online sales or service contracts with traders, and it represents the final destination for the conclusion of those contracts.
- Sites that redirect users to other services to make the final contract (e.g. price comparison sites), or that only connect buyers and sellers to trade with each other (e.g. classified advert sites), or that only sell directly to consumers on behalf of themselves (e.g. online retailers), are not in scope.
Online search engines
- 'online search engine' means a digital service that allows users to perform searches of the 'public parts of the worldwide web' in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.
- Where a site offers search engine facilities as outlined above, but those facilities are powered by another search engine, then the underlying search engine is required to meet the requirements of the NIS Directive. Internal organisational search engines, that do not facilitate external searches of the internet are not in scope.
Cloud computing services
- 'cloud computing service' means any Digital Service Provider that enables access to a scalable and elastic pool of shareable physical or virtual resources.
The Government considers that this primarily (but not exclusively) includes Digital Service Providers that provide public cloud services of the following nature:
- "'Infrastructure as a Service' (IaaS) - the delivery of virtualised computing resource as a service across a network connection, specifically hardware – or computing infrastructure - delivered as a service;
- 'Platform as a Service' (PaaS) - services that provide developers with environments on which they can build applications that are delivered over the internet, often through a web browser; and
- 'Software as a Service' (SaaS), provided the resources available to the customer through that software are changeable in an elastic and scalable way. The Government considers that this would likely exclude most online gaming, entertainment or VOIP services, as the resources available to the user are not scalable, but may include services such as email or online storage providers, where the resources are scaleable."
Micro and small enterprises which are DPSs are excluded from the scope of NISD. These are defined as:
- micro enterprise: fewer than 10 employees and an annual turnover (the amount of money taken in a particular period) or balance sheet (a statement of a company's assets and liabilities) below €2 million.
- small enterprise: fewer than 50 employees and an annual turnover or balance sheet below €10 million.
Hardware manufacturers and software developers are also excluded and it is worth remembering that certain sectors (like financial services) remain subject to sector specific requirements rather than to NISD.
The government has proposed '14 Principles' on security, revised versions of which are set out in Annex 3 of the response to the consultation. These are intended as high level, overarching principles. It recognises that supporting guidance and additional details are required which will be set out on the NCSC website. CAs will use the NIS Cyber Assessment Framework (to be published shortly by the NCSC) to determine acceptable levels of cybersecurity in their sectors.
Security requirements and incident reporting for DSPs
The government explains in its consultation, that security requirements for DSPs are set out in the EC Implementing Regulation published at the end of January 2018 so there is little scope for the UK to change the parameters. The Regulation sets out prescribed elements to be taken into account by DSPs for managing security risks and determining whether an incident has a substantial impact.
The government will continue its approach of appointing CAs in each sector. A full list of proposed CAs is included in Annex 2 of the response. The CAs will have clear separation of powers from the NCSC to allow the NCSC to carry out its advisory role and provide incident response capability. CAs will be responsible for the monitoring and oversight of NISD implementation in their sectors. They will also be responsible for enforcement.
Concerns have been raised that different CAs will take different views about enforcement. The government says that while it will encourage cooperation and common procedures, divergence may be appropriate in order to reflect the needs or different sectors.
The role of NCSC
In recently published guidance, the NCSC makes it clear that it does not play a regulatory role. It does, however, have a role in providing support and guidance. It will also take on the following roles:
- Single Point of Contact (SPOC) – the NCSC will act as the contact point for engagement with EU partners on NISD, coordinating requests for action or information and submitting annual incident statistics.
- CSIRT (Computer Security Incident Response Team) - incidents that are believed to be reportable under NISD should be reported to the appropriate CA. Where they are identified or suspected of having a cyber security aspect, the operator should also contact NCSC for advice and support on these aspects.
- Technical Authority on Cyber Security - the NCSC will support OESs and CAs with cyber security advice and guidance and act as a source of technical expertise. It may work with OESs and CAs to tailor some generic guidance to individual sectors if necessary.
The NCSC is intending to publish a Cyber Assessment Framework – a systematic means of assessing whether an OES is complying with NISD. In the meantime, it has published guidance on complying with NISD. The advice is based on the 14 Principles set out by the government in its consultation and response to the consultation.
For more detail about data breach and incident reporting requirements under the GDPR and NISD, read our Download article.