The UK government has published more detail on its plans to implement the Network Information Systems Directive, alongside guidance from the National Cyber Security Centre.
What’s the issue?
The Network Information Systems Directive (NISD or the Cybersecurity Directive), must be implemented into Member State law by 9 May 2018.
The Cybersecurity Directive is relevant to you if you are an Essential Service provider or if you are a Digital Service Provider i.e. an online marketplace, an online search engine or a cloud services provider (unless you are subject to sector specific regulation in this area). This is a minimum harmonisation Directive which means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their “main establishment”.
The UK government is yet to publish its implementing Regulations but did hold a consultation in autumn 2017.
What’s the development?
The government has published the response to its consultation which gives more detail as to how it is planning to implement NISD. At the same time, the National Cyber Security Centre (NCSC) has published more information about its role and initial guidance.
What does this mean for you?
Who has to comply with NISD?
The primary concern for those who think they might be caught by NISD centres on the definitions of an Operator of Essential Services (OES), and Digital Service Providers (DSPs).
- OES – the government has been refining the identification thresholds used to define who is in scope to make them clearer and help companies understand whether they need to comply. The revised thresholds are in Annex 1 of the response to the consultation.
- DSPs – the government recognises that defining DSPs “continues to be a challenge” but intends to limit the scope of those who have to comply with NISD to “those companies whose loss of service could have the greatest impact on the UK economy, either directly or through impact on other companies”. This will include Software as a Service companies but excludes micro and small businesses. The implementing Regulations will mirror the wording of NISD but guidance will be used to add flesh to the bones of the definitions (see ‘Read more’ for full details).
There has been a lot of concern around the potential for ‘double jeopardy’ in terms of fines under NISD and the GDPR. The government confirms that it intends to amend the proposed penalty regime to introduce a maximum financial penalty of £17m for all contraventions under NISD. It cannot, however, remove the possibility of sanctions relating to different aspects of the wrongdoing under other applicable law, including the GDPR.
Note that NISD will not apply directly to suppliers to OES’s or DSPs and enforcement will not take place down the supply chain. OES’s and DSPs will be responsible for ensuring that their suppliers have appropriate measures in place to ensure they are compliant.
The government clarifies that Competent Authorities (CAs) will publish incident reporting thresholds. Reporting timeframes will mirror those under the GDPR, i.e. “without undue delay and, where feasible, no later than 72 hours after having become aware of the incident”.
Are you a DSP?
The government intends to provide the following clarifications through guidance as to the kind of organisations that will be treated as DSPs under NISD.
- An online marketplace should be defined as a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods or services, i.e. a service that enables consumers and traders to conclude online sales or service contracts with traders, and it represents the final destination for the conclusion of those contracts.
- Sites that redirect users to other services to make the final contract (e.g. price comparison sites), or that only connect buyers and sellers to trade with each other (e.g. classified advert sites), or that only sell directly to consumers on behalf of themselves (e.g. online retailers), are not in scope.
Online search engines
- ‘online search engine’ means a digital service that allows users to perform searches of the ‘public parts of the worldwide web’ in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.
- Where a site offers search engine facilities as outlined above, but those facilities are powered by another search engine, then the underlying search engine is required to meet the requirements of the NIS Directive. Internal organisational search engines, that do not facilitate external searches of the internet are not in scope.
Cloud computing services
- ‘cloud computing service’ means any Digital Service Provider that enables access to a scalable and elastic pool of shareable physical or virtual resources.
The Government considers that this primarily (but not exclusively) includes Digital Service Providers that provide public cloud services of the following nature:
- “‘Infrastructure as a Service’ (IaaS) - the delivery of virtualised computing resource as a service across a network connection, specifically hardware – or computing infrastructure - delivered as a service;
- ‘Platform as a Service’ (PaaS) - services that provide developers with environments on which they can build applications that are delivered over the internet, often through a web browser; and
- Software as a Service’ (SaaS), provided the resources available to the customer through that software are changeable in an elastic and scalable way. The Government considers that this would likely exclude most online gaming, entertainment or VOIP services, as the resources available to the user are not scalable, but may include services such as email or online storage providers, where the resources are scaleable.”
Micro and small enterprises which are DPSs are excluded from the scope of NISD. These are defined as:
- micro enterprise: fewer than 10 employees and an annual turnover (the amount of money taken in a particular period) or balance sheet (a statement of a company’s assets and liabilities) below €2 million.
- small enterprise: fewer than 50 employees and an annual turnover or balance sheet below €10 million.
Hardware manufacturers and software developers are also excluded and it is worth remembering that certain sectors (like financial services) remain subject to sector specific requirements rather than to NISD.
Security requirements for OESs
The government has proposed ’14 Principles’ on security, revised versions of which are set out in Annex 3 of the response. These are intended as high level, overarching principles. It recognises that supporting guidance and additional detail are required which will be set out on the NCSC website. CAs will use the NIS Cyber Assessment Framework (to be published by the NCSC in April 2018) to determine acceptable levels of cybersecurity in their sectors.
The government will continue its approach of appointing CAs in each sector. A full list of proposed CAs is included in Annex 2 of the response. The CAs will have clear separation of powers from the NCSC to allow the NCSC to carry out its advisory role and provide incident response capability. CAs will be responsible for the monitoring and oversight of NISD implementation in their sectors. They will also be responsible for enforcement.
Concerns have been raised that different CAs will take different views about enforcement. The government says that while it will encourage cooperation and common procedures, divergence may be appropriate in order to reflect the needs or different sectors.
The role of NCSC
In newly published guidance, the NCSC makes it clear that it does not play a regulatory role. It does, however, have a role in providing support and guidance. It will also take on the following roles:
- Single Point of Contact (SPOC) – the NCSC will act as the contact point for engagement with EU partners on NISD, coordinating requests for action or information and submitting annual incident statistics.
- Technical Authority on Cyber Security - the NCSC will support OESs and CAs with cyber security advice and guidance and act as a source of technical expertise. It may work with OESs and CAs to tailor some generic guidance to individual sectors if necessary.
- CSIRT (Computer Security Incident Response Team) - incidents that are believed to be reportable under NISD should be reported to the appropriate CA. Where they are identified or suspected of having a cyber security aspect, the operator should also contact NCSC for advice and support on these aspects.
The NCSC is intending to publish a Cyber Assessment Framework – a systematic means of assessing whether an OES is complying with NISD, in April 2018. In the meantime, it has published guidance on complying with NISD. The advice is based on the 14 Principles set out by the government in its consultation and response to the consultation.
More on enforcement
CAs will be required to take a reasonable and proportionate approach to enforcement. The government recognises that the process of improving network security will take a number of years and is anticipating a collaborative approach by stakeholders.
OESs will be given time to implement the required security measures, and the main priority of CAs in the first year will be information gathering. OESs will be expected to begin analysing their existing systems and security in order to assess what needs to be done.
More on incident reporting and support
Incident reporting under NISD focuses on interruption to service. Under Article 14(3), an OES must notify either their CA or CSIRT of “incidents having a significant impact on the continuity of the essential services they provide”. DSPs are required under Article 16(3) to notify either their CA or CSIRT of “any incident having a substantial impact on the provision of a service…that they offer within the Union”. An incident is “any event having an actual adverse effect on the security of network and information systems”.
Incident response will be separate from incident reporting. All NIS incidents will be reported to the relevant CA who will log the incident and decide whether follow up investigation is required. Voluntary reporting can be made to either the CA or the NSCS. Incident response support on cyber related incidents (e.g. DDoS attacks, malware, hacking) will be provided by the NCSC where required. CAs or possibly the relevant Lead Government Department, will provide support for non-cyber or resilience incidents (e.g. hardware failure, fire, physical damage.