The UK Government has repeatedly declared its commitment to defending the country against cyber threats.
As part of that commitment a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of transformational investment. In accordance with the delivery of the strategy the National Cyber Security Centre was opened in February 2017.
In the EU the Network and Information Security Directive ("NIS") has been in development, largely running in step with the development of the new General Data Protection Regulation. Member States have until 9 May 2018 to transpose the Directive into their national legislation. The Member States enactments of the Directive will compel essential service operators develop strategy and policies to understand and manage their risk from cyber-attack; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
On 8 August 2017, the Government launched a consultation on how best to implement the Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU. The NIS Directive will be implemented into UK law in May 2018.
Energy has always been identified as an essential sector falling within the scope of the NIS Directive, however the consultation paper has provided greater granularity by proposing a series of thresholds so that the enactment will apply only to "more important operators" in the Energy sector. These fall within the following categories:
The thresholds proposed by the Government are binary, for example an electricity distributor with the potential to disrupt supply to more than 250,000 consumers will be deemed to be an essential service operator. The Government currently does not consider the civil nuclear sector to be in scope of the NIS Directive. The thresholds set by the Government will be one of the core aspects of the public consultation.
In tune with other recent legislation such as the UK Bribery Act 2010 and the Modern Slavery Act 2015 it is expected that operators of essential services will also have a responsibility to drive compliance into their supply chain. The paper states that "there should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service" and reference to "ensuring that appropriate measures are employed where third party services are used". Accordingly, while suppliers to operators of essential energy services may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator's network and information systems, they will be contractually obliged to comply.
Security requirements: Operators must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and take appropriate measures to prevent and minimise the impact of incidents. What these broad principles mean in practice is yet to be established. The consultation paper indicates that a series of further guidance will be issued from the Government, the National Cyber Security Centre and the relevant competent authority, which will provide further granularity and sector-specific information and will evolve over time.
Incident reporting: Operators will be required to notify the National Cyber Security Centre and their relevant competent authority of incidents affecting the security of network and information systems that have a significant impact on the continuity of essential services. The incidents are not limited to cyber-attacks and can include power outages, system malfunctions and hardware failure. The consultation process will assist in the definition of what will constitute a reportable incident and the identification of associated thresholds. It is proposed that the time within which a report will need to be made will have a gate of 72 hours from becoming aware of the incident.
According to the impact assessment issued by the Department for Digital, Culture, Media and Sport (DCMS), the high level of regulation already in place in the Energy sector means that only small alterations to existing security systems are likely to be required to comply with the NIS Directive. However, the extra costs required to comply with the incident reporting requirements will depend on the reporting thresholds issued by the competent authority.
The Government proposes to nominate a competent authority to oversee implementation and compliance with the Directive in each of the essential sectors. For Energy, this is the Department for Business, Energy and Industrial Strategy (BEIS), though the Government is exploring whether certain functions could be delegated to the Office for Gas and Electricity Markets (Ofgem). The competent authority will have the power to decide whether to publicise an incident, to obtain information required to assess compliance, to identify breaches of the Directive and take enforcement action.
While the gestation of the Directive has been in track with the GDPR the Directive has largely remained in the shadow of the publicity surrounding the penalty regime set out for GDPR. However, in the consultation paper the Government has indicated a desire to mirror the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures. The press release issued by DCMS suggests that a fine for breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR. This could then mean that an organisation suffering from a cyber-attack, which results in the loss of both services and data could face a "double liability" of fines of up to €40 million. It is also not clear whether related sanctions imposed by other Regulators will take into account when determining the sanction for non-compliance.