Category

Security

DCMS publishes consultation on NIS Directive for Digital Service Providers

By | News, Security

The Department for Digital, Culture, Media and Sport (DCMS) has published a targeted consultation to seek views on how the Government intends to implement the Network and Information Systems (NIS) Directive in relation to Digital Service Providers (DSPs) in the UK. This follows the publication of the Implementing Act for DSPs by the European Commission in January 2018.

The Government states that the UK will define DSPs in the same way as set out in the Directive, which means that DSPs will encompass “online marketplaces”, “online search engines”, and “cloud computing services”.

As the Government has previously stated, the Information Commissioner’s Office (the ICO) will be responsible for regulating DSPs in the UK in the context of the NIS Directive. As part of this role, the ICO will produce guidance to help DSPs establish whether they are in scope of the Directive. The consultation states that the ICO will also, after 10 May 2018 when the Directive comes into force, “establish a system in order for UK DSPs to register themselves with the ICO.” The Government states that this system “is necessary in order for the ICO to know who is required to meet the requirements of the Directive and who they need to regulate”, and that it is considering making registration mandatory.

The ICO will also publish guidance to ensure that DSPs understand their obligations under the Directive. This guidance will take into account the Technical Guidelines for the implementation of minimum security measures for Digital Service Providers published by the European Network and Information Systems Agency (ENISA) in 2017. This, according to the Government, will ensure that there is a consistent approach across Europe.

The ICO, along with the other relevant regulatory authorities, will have the power to recover the costs of regulating the NIS Directive. In this context, the Government expects that the ICO, in line with common practice in other regulations such as the GDPR, will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations. The consultation states that the amount of this fee has not yet been determined and will be published by the ICO in due course.

The closing date for responses to the consultation is 29 April 2018.

Government conclusions on NIS implementation

By | News, Security

The UK Department for Digital, Culture, Media & Sport (DCMS) has published its response to the replies it received to last year’s public consultation on implementation of the Network Information Security Directive (NIS-D). Finding broad support from responders for its proposed approach, it intends to press ahead largely unchanged, but with altered thresholds and adjustments to the penalty regime.

In regard to Internet Exchange Points, the government has dropped port capacity as the criterion for identifying essential services; any particular threshold would quickly have become out of date. Instead, the qualifying criteria will be based market share and routing table coverage. An IXP operator will qualify as an essential service if it has:

  • “50% or more annual market share amongst UK IXP Operators in terms of interconnected autonomous systems”, or if it
  •  “offer[s] interconnectivity to 50% or more of Global Internet routes”

The thresholds for DNS providers have also been changed

  • Operators of TLD registries will qualify as operators of essential services if they service an average of 2 billion queries or more per day (threshold unchanged);
  • Operators of DNS resolvers will qualify as operators of essential services if they service an average of 2 million DNS clients per day (changed from 60 million DNS queries per day). Moreover, only resolvers for publicly accessibly services will count, which may exclude some public and academic sector operators.
  • Additionally, operators of authoritative DNS hosting will also be brought into scope of NIS-D, for operators who host 250,000 domain names or more, again for public services.

The penalty regime has been simplified as a straightforward maximum fine of £17 million. This replaces a two-tier structure of up to €20 million or 4% of global turnover for failure to implement appropriate security measures, and €10million or 2% of global turnover for other offences. For many, but not all, of the affected businesses this will be a reduction in their exposure.

Another change is that incident reporting will be viewed as a compliance operation, for the operator to register the existence of a security incident with the regulator, separate from incident response. This is intended to protect the existing co-operative relationship operators have with the National Cyber Security Centre and other government protective services.

The government has also made adjustments to the draft “high level security principles” with which operators will be required to comply, in some cases so as to make the expectation more specifically require a good outcome, rather than merely a good process.

The government has confirmed that it will proceed with the approach of using sector-specific regulators as the regulator for NIS-D, resulting in having multiple “Competent Authorities”. This was broadly welcomed by affected businesses. Accordingly, the NIS-D regulator for Digitial infrastructure (IXPs and DNS providers) will be Ofcom.

UK to tighten takeover rules to protect national security

By | News, Security
The UK Department for Business, Energy and Industrial Strategy (BEIS) has published a Green Paper with plans to bolster government powers to intervene in corporate mergers and takeovers involving high-tech goods and services to protect national security, and is consulting on what other powers it might need.
In the short term, the government will reduce the turnover threshold that limits its existing powers to intervene in corporate takeovers. At the moment, the Competition and Markets Authority powers only apply to takeovers where the target company has a turnover of at least £70m per year. For companies producing goods and services for military use, or “dual-use” technologies that can be used for military purposes, this is to be reduced to cover any company with a turnover in excess of £1 million. It will also reduce the takeover threshold to £1million turnover per annum for companies involved in the creation, design or support of “multi-purpose computing hardware” and quantum-based technology.
 
In the longer term, the government is looking at a range of options, including

  • extending existing powers to intervene in corporate takeovers, so that they would also apply to new projects, the acquisition of land near sensitive locations, and the sale of “bare assets” (e.g. equipment, intellectual property, or divisions of a business) not involving the sale of the entire company; and
  • creating a mandatory obligation on companies to notify the Competition and Markets Authority when they are targetted for takeover.

The deadline for commenting on the changes to takeover thresholds is 14th November 2017, and for the longer term reforms is 9th January 2018.

UK Government launches consultation on implementing NIS Directive

By | EU Legislation, News, Security

The UK Government has launched a consultation on its plans to implement the Security of Network and Information Systems Directive (“NIS Directive”). The NIS Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose the Directive into domestic legislation. The Government has emphasised that it supports the overall aim of the NIS Directive and that its intention is that this legislation will continue to apply in the UK even after the UK has left the EU.

The NIS Directive imposes obligations on two groups of businesses: “operators of essential services” and digital service providers. However, it does not affect network providers as they are already subject to similar obligations in the UK under Section 105 of the Communications Act 2003.

Under the Directive, operators of essential services including those in the energy, transport, water, healthcare and digital infrastructure sectors will have to take “appropriate and proportionate” security measures to manage the risks to their network and information systems. Operators of essential services will also be required to notify serious incidents to the relevant authority.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.

Organisations who fall in scope of the Directive will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after an event, with the capability to respond and restore systems. The Government has stated that “any operator who takes cyber security seriously should already have such measures in place.”

Organisations who fail to implement effective security measures could be fined as much as £17 million or 4 per cent of global turnover. The Government has said, however, that fines would be a last resort, and will not apply to operators that have “assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

The consultation closes on 30 September 2017.

For more information, see: Consultation on the Security of Network and Information Systems Directive