The UK Government has launched a consultation on its plans to implement the Security of Network and Information Systems Directive (“NIS Directive”). The NIS Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose the Directive into domestic legislation. The Government has emphasised that it supports the overall aim of the NIS Directive and that its intention is that this legislation will continue to apply in the UK even after the UK has left the EU.
The NIS Directive imposes obligations on two groups of businesses: “operators of essential services” and digital service providers. However, it does not affect network providers as they are already subject to similar obligations in the UK under Section 105 of the Communications Act 2003.
Under the Directive, operators of essential services including those in the energy, transport, water, healthcare and digital infrastructure sectors will have to take “appropriate and proportionate” security measures to manage the risks to their network and information systems. Operators of essential services will also be required to notify serious incidents to the relevant authority.
Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.
Organisations who fall in scope of the Directive will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after an event, with the capability to respond and restore systems. The Government has stated that “any operator who takes cyber security seriously should already have such measures in place.”
Organisations who fail to implement effective security measures could be fined as much as £17 million or 4 per cent of global turnover. The Government has said, however, that fines would be a last resort, and will not apply to operators that have “assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”
The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).
The consultation closes on 30 September 2017.
For more information, see: Consultation on the Security of Network and Information Systems Directive