The UK Government has repeatedly declared its commitment to defending the country against cyber threats. As part of that commitment a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of transformational investment. In accordance with the delivery of the strategy the National Cyber Security Centre was opened in February 2107.
In the EU the Network and Information Security Directive ("NIS") has been in development, largely running in step with the development of the new General Data Protection Regulation. Member States have until 9 May 2018 to transpose the Directive into their national legislation. The Member States enactments of the Directive will compel essential service operators develop strategy and policies to understand and manage their risk from cyber attack; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
On 8 August 2017, the Government launched a consultation on how best to implement the Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU. The NIS Directive will be implemented into law for the whole UK in May 2018.
Who is affected?
The focus of the NIS Directive is on the operators of "essential services". The healthcare sector has always been identified as being within the scope of the Directive but the consultation paper has clarified that by referring to NHS Trusts and Foundation Trusts in England; Local Health Boards and NHS Trusts in Wales; NHS Boards in Scotland and Health and Social Care Trusts in Northern Ireland. While the consultation paper is likely to lead to greater granularity on the definition of operators of essential services in other sectors, with minimum thresholds being considered, this is not the case for the healthcare sector and all that fall within the descriptions set out above will need to comply.
In tune with other recent legislation such as the UK Bribery Act 2010 and the Modern Slavery Act 2015 it is expected that operators of essential services will also have a responsibility to drive compliance into their supply chain. The paper states that "there should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service" and refers to "ensuring that appropriate measures are employed where third party services are used". Accordingly, while suppliers to operators of essential healthcare services may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator's network and information systems, they will be contractually obliged to comply. What are the key elements for operators of essential healthcare services?
Security requirements: Operators must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and take appropriate measure to prevent and minimise the impact of incidents. The consultation paper indicates that guidance will be issued both at a high level from the Government and the National Cyber Security Centre and at a sector level, along with the relevant competent authority.
Incident reporting: Operators will be required to notify their relevant competent authority of incidents affecting the security of network and information systems that have a significant impact on the continuity of essential services. The incidents are not limited to cyber-attacks and can include power outages, system malfunctions and hardware failure. The consultation process will assist in the definition of what will constitute a reportable incident and the identification of associated thresholds. It is proposed that the time within which a report will need to be made will have a gate of 72 hours from becoming aware of the incident. Who will oversee compliance in the Healthcare Sector?
The competent authority for the healthcare sector for England will be the Department of Health with some devolution of authority to NHS Digital; it remains to be determined who will operate as the competent authorities for the rest of the UK. The competent authority will have the power to decide whether to publicise an incident, to obtain information required to assess compliance, to identify breaches of the Directive and take enforcement action.
What are the sanctions for non-compliance?
While the gestation of the Directive has been in track with the GDPR the Directive has largely remained in the shadow of the publicity surrounding the penalty regime set out for GDPR. However, in the consultation paper the Government has decided to mirror the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures.
The press release issued by the Department for Digital, Culture, Media and Sport (DCMS) suggests that a fine for breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR. This could then mean that an organisation suffering from a cyber-attack, which results in the loss of both services and data could face a "double liability" of fines of up to €40 million. It is also not clear whether related sanctions imposed by other Regulators will take into account when determining the sanction for non-compliance.