The Network Information Systems Directive 2016 (NISD or Cybersecurity Directive) must be implemented into UK law by 10 May 2018. While the GDPR has a broad reach, NISD only impacts on certain businesses. In terms of cybersecurity, the GDPR focuses on protecting personal data, whereas NISD is more concerned with network and systems security and interruption to service. Businesses caught by NISD will also have to comply with the GDPR in respect of any personal data.
NISD at a glance
|Applies from||10 May 2018 (via implementing legislation).|
|Concerned with||Interruption to service – an incident i.e. “any event having an actual adverse effect on the security of network and information systems”.|
|Applies to||OESs and DSPs (subject to certain exceptions).|
|Sanctions||Capped at £17m in the UK.|
OESs: relevant CA (sector specific).
|Report to regulator||
OES: notify CA of “incidents having a significant impact on the continuity of the essential services they provide”.
DSPs: notify CA of “any incident having a substantial impact on the provision of a service […] that they offer within the Union”.
|Timing of report to regulator||Without undue delay and not later than 72 hours.|
|Report to data subjects||
OESs: no requirement but the CA or CSIRT may inform the public.
DSPs: no immediate requirement but may have to inform an affected OES or be required by CA or CSIRT to inform the public.
|Timing of report to data subjects||No requirement|
NISD has a different objective to the GDPR. Rather than focusing on the security of personal data, it deals with the security of network and information systems.
NISD is a minimum harmonisation Directive which means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their “main establishment”.
The UK’s implementing legislation is the Network and Information Systems Regulations 2018 (Regulations). The NCSC has already published initial guidance which will be updated shortly and the ICO will also be publishing guidance.
Who has to comply with NISD?
NISD is relevant to you if you are an Operator of an Essential Service (OES) or if you are a Digital Service Provider (DSP) i.e. an online marketplace, an online search engine or a cloud services provider. Where sectors are subject to sector-specific Union legal acts relating to information and network security, these will take precedence (e.g. NISD does not apply to telecoms providers as their security is dealt with by the Framework Directive).
NISD is designed to work alongside data protection legislation. It covers ‘natural persons’ which includes companies, whereas data protection law covers only personal data. As with the GDPR, NISD is intended to have some extra-EU application and will apply to DSPs which are established outside the EU but which offer services within the EU (on more than an incidental and passive basis).
How will organisations be regulated?
Organisations will be regulated in the Member State of their main establishment which will be where their head office is located. Note that this is a different definition from that used in the GDPR which states that the place of main establishment is presumed to be the data controller’s place of central administration unless the main decision making with regard to the personal data is taken in another Member State.
Where an organisation is subject to NISD but does not have a main establishment in the EU, it must appoint a representative in one of the Member States in which it offers services and it will be subject to regulation in that Member State.
Incident response will be separate from incident reporting. In the UK, all NIS incidents will be reported to the relevant Competent Authority (CA) who will log the incident and decide whether follow up investigation and reporting is required. The National Cyber Security Centre (NCSC) will be the UK’s Computer Security Incident Response Team (CSIRT). Voluntary reporting can be made to either the CA or the NSCS. Incident response support on cyber related incidents (e.g. DDoS attacks, malware, hacking) will be provided by the NCSC where required. CAs or possibly the relevant Lead Government Department will provide support for non-cyber or resilience incidents (e.g. hardware failure, fire, physical damage).
Operators of essential services
- Member States are required to identify OESs in categories set out in Annex II of the Response with an establishment in their territory by 9 November 2018. These categories include operators of essential services in the energy, transport, financial services (including banks), health and drinking water supply and digital infrastructure (including internet exchange points, domain name system service providers and top level domain name registries). Lists must be reviewed and updated at least every two years. The UK has published its list of OESs and their Competent Authorities (CAs) in the Regulations.
- Member States may make their own rules as to how to identify OESs in each sector but this is to be decided against the broad criteria that the entity provides a service essential for the maintenance of critical societal and/or economic activities where the provision of that service depends on network and information systems and an incident to the network and information systems of that service would have significant disruptive effects on its provision. Whether or not a disruption has a significant disruptive effect should take into account the number of users relying on the service, the dependency of other essential service sectors on it, the impact the incident might have, the market share and geographic reach of the entity and its importance in maintaining a sufficient level of service taking into account availability of alternative providers.
Security and notification requirements for operators of essential services
- Member States must ensure all OESs take appropriate and proportionate technical and organisational measures to manage risks (defined in NISD as “any reasonably identifiable circumstances or event having a potential adverse effect on the security of networks and information systems”) posed to the security of networks and information services which they use to deliver their services and to minimise the impact of any network security incidents with a view to ensuring continuity of service.
- OESs must notify the competent authority of incidents having a significant impact on the continuity of the service they supply. Notifications must be made without undue delay (and within 72 hours in the UK) and must contain enough information to allow the competent authority to determine any cross-border impact of the incident. To assess the nature of the incident, the number of affected users, the duration of the incident and the geographical spread of its impact must be taken into account. The CA will inform the CSIRT as soon as reasonably practicable.
- The public may be informed of an incident by the CA or the CSIRT.
DSPs are providers of online marketplaces, online search engines or cloud computing services. These are all defined terms in the Directive which the UK has mirrored in the Regulations:
- “online marketplace” is a digital service that allows consumers and/or traders to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace (this includes app stores but excludes price comparison websites);
- “online search engine” is a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found;
- “cloud computing” service is a digital service that enables access to a scalable and elastic pool of shareable computing resources;
- Hardware manufacturers and software developers are specifically excluded in the recitals of NISD; and
- There are also exceptions for micro-enterprises and small enterprises (i.e. fewer than 50 employees and an annual turnover or balance sheet below €10 million) from being classed as DSPs.
The UK government has said that it will provide the following clarifications through guidance:
- An online marketplace should be defined as a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods or services, i.e. a service that enables consumers and traders to conclude online sales or service contracts with traders, and it represents the final destination for the conclusion of those contracts.
- Sites that redirect users to other services to make the final contract (e.g. price comparison sites), or that only connect buyers and sellers to trade with each other (e.g. classified advert sites), or that only sell directly to consumers on behalf of themselves (e.g. online retailers), are not in scope.
Online search engines
- ‘online search engine’ means a digital service that allows users to perform searches of the ‘public parts of the worldwide web’ in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.
- Where a site offers search engine facilities as outlined above, but those facilities are powered by another search engine, then the underlying search engine is required to meet the requirements of the NIS Directive. Internal organisational search engines, that do not facilitate external searches of the internet are not in scope.
Cloud computing services
- ‘cloud computing service’ means any Digital Service Provider that enables access to a scalable and elastic pool of shareable physical or virtual resources.
The government considers that this primarily (but not exclusively) includes Digital Service Providers that provide public cloud services of the following nature:
- “‘Infrastructure as a Service’ (IaaS) - the delivery of virtualised computing resource as a service across a network connection, specifically hardware – or computing infrastructure - delivered as a service;
- ‘Platform as a Service’ (PaaS) - services that provide developers with environments on which they can build applications that are delivered over the internet, often through a web browser; and
- Software as a Service’ (SaaS), provided the resources available to the customer through that software are changeable in an elastic and scalable way. The Government considers that this would likely exclude most online gaming, entertainment or VOIP services, as the resources available to the user are not scalable, but may include services such as email or online storage providers, where the resources are scalable.”
UK DSPs (referred to as Relevant Digital Service Providers or RDSPs in the Regulations) are required to register with the UK’s ICO, providing their name, address and contact details. The date for registration is:
- 1 November 2018 in the case of a RDSP who qualifies as a DSP on 10 May 2018;
- In any other case, within three months after it qualifies as a DSP.
- DSPs must identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems they use in the context of offering services. Those measures shall ensure a level of security of those systems appropriate to the risk presented taking into account: security of systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards.
- DSPs must take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems.
- RDSPs must notify incidents having a substantial impact on the provision of a service to the ICO. Notifications must contain enough information to allow the ICO to determine the significance of any cross-border impact.
- Whether or not an incident is substantial should be assessed in accordance with the criteria in Regulation EU 2018/19 which also sets out elements to be taken into account by DSPs for managing NIS risks.
- In determining the impact of an incident, the number of affected users, particularly those relying on the service to provide their own services, the duration of the incident, its geographical spread, the extent of the disruption to the service and the extent of the impact on economic and societal activities must be taken into account;
- Where an OES relies on the service provided by the DSP, the OES must also be informed. RDSPs may also be required by the ICO to inform the public or the competent authority or the CSIRT may do so after consultation with the DSP.
Regulators are given various general powers but Member States are left to legislate on penalties for non-compliance. There has been a lot of concern around the potential for ‘double jeopardy’ in terms of fines under NISD and the GDPR. The UK government has introduced a maximum financial penalty of £17m for all contraventions under NISD. It cannot, however, remove the possibility of sanctions relating to different aspects of the wrongdoing under other applicable law, including the GDPR.
Note that NISD will not apply directly to suppliers to OES’s or DSPs and enforcement will not take place down the supply chain. OES’s and DSPs will be responsible for ensuring that their suppliers have appropriate measures in place to ensure they are compliant.
Concerns have been raised that different CAs will take different views about enforcement. The government says that while it will encourage cooperation and common procedures, divergence may be appropriate in order to reflect the needs or different sectors.
CAs will be required to take a reasonable and proportionate approach to enforcement. The government recognises that the process of improving network security will take a number of years and is anticipating a collaborative approach by stakeholders.
OESs will be given time to implement the required security measures, and the main priority of CAs in the first year will be information gathering. OESs will be expected to begin analysing their existing systems and security in order to assess what needs to be done.
The recitals to NISD state that the security levels required for DSPs will vary on a case by case basis and they will be subject to a light touch and reactive system of supervision without being subject to general compliance monitoring. CAs should only take action when provided with evidence of non-compliance.
In recently published guidance, the NCSC makes it clear that it does not play a regulatory role. It does, however, have a role in providing support and guidance. It will also take on the following roles:
- Single Point of Contact (SPOC) – the NCSC will act as the contact point for engagement with EU partners on NISD, coordinating requests for action or information and submitting annual incident statistics.
- CSIRT (Computer Security Incident Response Team) - incidents that are believed to be reportable under NISD should be reported to the appropriate CA. Where they are identified or suspected of having a cyber security aspect, the operator should also contact NCSC for advice and support on these aspects.
- Technical Authority on Cyber Security - the NCSC will support OESs and CAs with cyber security advice and guidance and act as a source of technical expertise. It may work with OESs and CAs to tailor some generic guidance to individual sectors if necessary.
The NCSC is intending to publish a Cyber Assessment Framework – a systematic means of assessing whether an OES is complying with NISD shortly. In the meantime, it has published guidance on complying with NISD. The advice is based on the 14 Principles set out by the government in its consultation and response to the consultation.
What about the GDPR?
The eagle eyed will have noticed that the GDPR and NISD use different criteria to set out what might be considered to be appropriate technical and organisational measures. However, the intent is broadly the same. An assessment of risk has to be made and appropriate steps need to be taken to prevent that risk from materialising and minimising the damage if it does.
Most organisations caught by the security and breach reporting requirements under NISD, will also be subject to the GDPR. Reporting a breach to the SA under the GDPR will not mean there is no requirement to notify under NISD although DSPs will be regulated by the ICO under both sets of legislation.