What is NISR and who is impacted?
Many of you will be familiar with the NISR (Network and Information Systems Regulations), which came into force on 9 May this year and which have been designed to prevent critical national infrastructure of EU countries in case of a cyber attack. These regulations have largely been largely overlooked to date, as many organisations find themselves spending all of their time and money on dealing with GDPR. These regulations impact two key categories of organisations: Operators of Essential Services (OESs) and Digital Service Providers (DSPs). A third category affected - to a lesser degree - is suppliers to these OESs and DSPs with access to networks and information systems.
What does this mean for airlines?
The principal requirements on OESs, such as airlines, is that they must be able to demonstrate that they have taken appropriate and proportionate measures to manage the risks posed to the security of their network and information systems, and that they have such measures in place to prevent and minimise the impact of such an incident. If you have operations in the EU, you should have recently registered with a local competent authority.
DSPs under the NISR are defined as either a (i) search engine, (ii) cloud computing service, or (iii) online marketplace. A more detailed explanation of this definition can be found here. Nowadays most airlines allow consumers to purchase travel insurance, car hire and hotels through their websites, which meets the requirements for (iii) above.
By way of example, in the UK, if you meet one of the criteria above and:
- Have a head office in the UK or have a nominated UK-based representative; and
- Employ more than 50 people and have an annual turnover of more than 10 million euros
Then you should have registered with the competent authority, the Information Commissioner's Office (ICO), by 1 November 2018. Looking outside of the UK, you can view our tracker to learn more about the jurisdictional differences across the EU.
What do I need to do?
I'm not EU-headquartered, does this still impact me?
Yes: if you are not EU headquartered, but have operations in the EU or provide services to EU based consumers, you will need to choose an EU jurisdiction within which to register: view our tracker to find out more about the differing penalties in the various jurisdictions.