What is the background to these regulations?
The EU Network and Information Systems Directive, (EU) 2016/1148 (the NIS Directive) is the incoming EU regime designed to ensure that:
- member states have in place resilient and effective national cyber security regimes which cooperate with each other
- operators of ‘essential services’ and certain digital services providers within member states have appropriate and proportionate cyber security measures in place (and report significant cyber incidents)
The Network and Information Systems Regulations 2018 (the NIS Regulations 2018) implement the NIS Directive in the UK, effective from 10 May 2018
The need for an EU cyber security regime aimed at essential services was identified by the European Commission in 2013, and the NIS Directive came into force in August 2016. Member states are required to implement the NIS Directive by 9 May 2018.
What organisations fall within the scope of these regulations?
The NIS Regulations 2018 impose obligations on two categories of organisation:
- operators of essential services (OES)
- relevant digital service providers (RDSP)
Schedule 2 to the NIS Regulations 2018 sets out the relevant sectors and sub-sectors in which essential services are carried out, as follows:
- energy: electricity, oil and gas
- transport: air, rail, water and road
- health: healthcare settings (including hospitals, private clinics and online settings)
- digital infrastructure: domain name registries and service providers, and internet exchange points
- water: drinking water supply and distribution
Within these sectors and sub-sectors, the NIS Regulations 2018 set out detailed threshold criteria for determining whether an organisation is considered an OES. For example, suppliers of gas will be considered OESs if they supply to either 250,000 final customers in Great Britain or 2,000 customers in Northern Ireland (and have a specific licence).
The appropriate authorities for the purposes of the NIS Regulations 2018 also retain a discretionary power within their sectors to designate an organisation as an OES (even if the organisation does not meet the threshold criteria), where a cyber incident affecting that organisation would likely have a significant disruptive effect on the provision of essential services.
Providers of online marketplaces, online search engines or cloud computing services will be considered RDSPs and subject to the NIS Regulations 2018 if they have their head office or have ‘nominated a representative’ in the UK, and are not micro or small enterprises (as defined in the Commission Recommendation 2003/361/EC).
What obligations do these regulations impose?
The duties imposed on OESs and RDSPs under the NIS Regulations 2018 broadly fall under two categories:
- a requirement to take appropriate and proportionate measures to ensure the security of network and information systems;
- the duty to notify security breaches.
In relation to security, the UK government has taken the approach of setting out broad, outcomes-based principles, rather than prescriptive rules. There are four top-level objectives:
- managing security risk;
- protecting against cyber attack;
- detecting cyber security events; and
- minimising the impact of cyber security incidents.
Sitting below those top-level objectives are 14 principles, covering aspects such as governance, risk management, system and network resilience, security monitoring, and response and recovery planning.
These objectives and principles are intended to be relevant to all networks and information systems across each of the sectors covered by the NIS Regulations 2018, although it will be for operators to establish how these principles apply to the various systems (including legacy and industrial control systems) that they control.
The reporting obligations require OESs to report any incident that ‘has a significant impact on the continuity of the essential service which that OES provides’. Similarly, RDSPs are required to report ‘any incident having a substantial impact on the provision of any of the [relevant] digital services…‘ In each case, organisations must report the incident to the relevant competent authority ‘without undue delay’ and no later than 72 hours after they are aware that the incident has occurred.
Who are the competent authorities for the purpose of these regulations?
Rather than creating or appointing one central competent authority, the UK government has taken a sector-by-sector approach to appointing competent authorities. The NIS Regulations 2018 set out a full list of competent authorities (Schedule 1), which are based on the relevant government departments (either for the UK or for separate parts of the UK, where relevant) with responsibility for energy, transport, health and environment (in relation to drinking water) respectively, along with Ofcom in relation to digital infrastructure and the Information Commissioner’s Office in relation to RDSPs.
The National Cyber Security Centre is not a competent authority for the purposes of the NIS Regulations 2018, but is expected to play a role in the coordination between different competent authorities and the dissemination of general guidance for those subject to the NIS Regulations 2018.
What sanctions may be imposed?
The NIS Regulations 2018 give competent authorities powers to:
- serve information notices in order to assess an organisation’s cyber security systems, or to determine whether it falls within the threshold conditions for being designated an OES;
- conduct an inspection to assess the organisation’s cyber security systems, or whether it has complied with its duties to notify the authority of an incident;
- serve an enforcement notice, which can include steps that the organisation is required to take to rectify any alleged failures; or
- impose a financial penalty for contravention of the NIS Regulations 2018.
The NIS Regulations 2018 set out a sliding scale of maximum financial penalties, as follows:
- £1m – for any contravention that does not cause an ‘NIS incident’;
- £3.4m – for a ‘material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in a reduction of service provision by the OES or RDSP for a significant period of time’;
- £8.5m – for a ‘material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in a disruption of service provision by the OES or RDSP for a significant period of time’;
- £17m – for a ‘material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy’.
What should in-scope organisations do to prepare?
If an organisation considers that it may potentially be an OES or a RDSP for the purposes of the NIS Regulations 2018, it should review the detailed threshold conditions at Schedule 2 to determine whether it does fall within the scope of the NIS Regulations 2018.
If the organisation is within the scope of the NIS Regulations 2018, it should carry out a thorough evaluation of its technical and organisational measures to ensure the security of its networks and information systems, taking into account:
- the state of the art;
- what is appropriate and proportionate; and
- the four high-level outcomes and 14 principles that a relevant authority will look at when considering the adequacy of those systems.
This will cover a wide range of measures, from highly technical security measures to system resilience, monitoring, crisis, incident and recovery planning, audits of third parties in supply chains, and overall governance arrangements.
In-scope organisations should also test their security measures with realistic ‘war game’ simulations to identify and rectify potential weaknesses.
Many organisations will want to do this alongside their existing General Data Protection Regulation (GDPR) compliance programmes, given the similarities in security requirements under the NIS Regulations 2018 and the GDPR – although the GDPR is solely concerned with personal data, whereas the NIS Regulations 2018 do not regulate personal data but focus instead on network and systems security. In-scope organisations should also be mindful of the risk of double jeopardy under the GDPR and the NIS Regulations 2018 in the event that they suffer a cyber incident which impacts personal data and network security/essential services (although the UK government has indicated that it will seek to avoid such double jeopardy impact where possible).
Many organisations will want to engage with their competent authority early on and maintain a line of communication. Ensuring that the organisation understands the authority’s expectations and priorities, and that the authority understands the organisation’s cyber security systems – and what it is doing to maintain and strengthen them – can be important in fostering good relations with one’s regulator, remaining compliant and effectively navigating and resolving a cyber security incident should it occur.
This article first appeared on LexisNexis