Tag

critical infrastructure Archives - LINX

UK to tighten takeover rules to protect national security

By | News, Security
The UK Department for Business, Energy and Industrial Strategy (BEIS) has published a Green Paper with plans to bolster government powers to intervene in corporate mergers and takeovers involving high-tech goods and services to protect national security, and is consulting on what other powers it might need.
In the short term, the government will reduce the turnover threshold that limits its existing powers to intervene in corporate takeovers. At the moment, the Competition and Markets Authority powers only apply to takeovers where the target company has a turnover of at least £70m per year. For companies producing goods and services for military use, or “dual-use” technologies that can be used for military purposes, this is to be reduced to cover any company with a turnover in excess of £1 million. It will also reduce the takeover threshold to £1million turnover per annum for companies involved in the creation, design or support of “multi-purpose computing hardware” and quantum-based technology.
 
In the longer term, the government is looking at a range of options, including

  • extending existing powers to intervene in corporate takeovers, so that they would also apply to new projects, the acquisition of land near sensitive locations, and the sale of “bare assets” (e.g. equipment, intellectual property, or divisions of a business) not involving the sale of the entire company; and
  • creating a mandatory obligation on companies to notify the Competition and Markets Authority when they are targetted for takeover.

The deadline for commenting on the changes to takeover thresholds is 14th November 2017, and for the longer term reforms is 9th January 2018.

UK Government launches consultation on implementing NIS Directive

By | EU Legislation, News, Security

The UK Government has launched a consultation on its plans to implement the Security of Network and Information Systems Directive (“NIS Directive”). The NIS Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose the Directive into domestic legislation. The Government has emphasised that it supports the overall aim of the NIS Directive and that its intention is that this legislation will continue to apply in the UK even after the UK has left the EU.

The NIS Directive imposes obligations on two groups of businesses: “operators of essential services” and digital service providers. However, it does not affect network providers as they are already subject to similar obligations in the UK under Section 105 of the Communications Act 2003.

Under the Directive, operators of essential services including those in the energy, transport, water, healthcare and digital infrastructure sectors will have to take “appropriate and proportionate” security measures to manage the risks to their network and information systems. Operators of essential services will also be required to notify serious incidents to the relevant authority.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.

Organisations who fall in scope of the Directive will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after an event, with the capability to respond and restore systems. The Government has stated that “any operator who takes cyber security seriously should already have such measures in place.”

Organisations who fail to implement effective security measures could be fined as much as £17 million or 4 per cent of global turnover. The Government has said, however, that fines would be a last resort, and will not apply to operators that have “assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

The consultation closes on 30 September 2017.

For more information, see: Consultation on the Security of Network and Information Systems Directive