As we come to the end of Global Cyber Awareness Month, and notwithstanding recent high profile cyber attacks, the spotlight still seems firmly fixed on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Bill, and the significant impact they will have on data protection law. Taking nothing away from the importance of GDPR, it is perhaps surprising that there has not been more discussion about the Directive on Security of Network and Information Systems (the NIS Directive). However, depending on your business, it could be just as important.
With the same maximum penalties as the GDPR - the higher of 20 million Euro (approx. £17m) or 4% of global annual turnover - and (as currently drafted) the possibly of a “double hit” for breaches involving personal data, it’s vital for businesses affected to consider the NIS Directive alongside GDPR implementation projects. Whilst the GDPR focuses on protecting personal data, the NIS Directive aims to ensure that critical IT infrastructure in key sectors of the economy is secure from the ever-growing list of cybersecurity threats. The large scale WannaCry and NotPetya ransomware attacks which affected the NHS (amongst others) this year, and the Equifax cyber breach/theft, are just two recent worrying examples.
The NIS Directive introduces cybersecurity-related obligations for operators of essential services, specifically:
- companies within “critical sectors” for example, health care (hospitals and private clinics), energy (electricity, oil, gas operators) and transport (air carriers, airport managing bodies); and
- digital service providers (e.g., online marketplaces, cloud computing and search engine operators).
Businesses that operate in one of the above two categories will be required to take appropriate security measures and to notify the relevant national authority (likely to be the ICO in the UK) in the event of a significant incident. However, there is an exemption for digital service providers with fewer than 50 employees and an annual balance sheet total under 10 million euros.
There is another noteworthy exemption which is likely to apply to the banking and financial services sector. The NIS Directive acknowledges (at Article 1(7)), that current requirements in respect of certain systems may exceed the requirements provided for under the Directive. Where this is the case, firms will be exempt from the requirements of the NIS Directive to the extent that provisions at least equivalent to those specified in the Directive already exist by the time the Directive comes into force. However, firms and financial market infrastructures within these sectors must continue to adhere to the requirements and standards as set by the Bank of England and the Financial Conduct Authority. Additionally, technical guidance to be published by the National Cyber Security Centre will be widely applicable, and relevant to the financial sector too.
The UK Government has until 9 May 2018 to implement the Directive and has yet to publish outcomes and updates following the public consultation process (the deadline for submissions passed on 30 September 2017). As a result, there are limited specific details at the moment beyond general information and policy positions. However, given the implementation timescales, and that operators of essential services face the prospect of sanctions equivalent to those in the GDPR, taking advice on implementation, readiness and compliance with the NIS Directive should be high on the priority list for those affected. And similar to GDPR, whilst the principal focus is on businesses falling within the defined scope of operators of essential services, key suppliers and partner of those operators can expect to be affected too by a consequent flow-through of contract obligations.