On 8 August 2017, the Government launched a consultation on how best to implement the Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU.
The implementation of the NIS Directive forms part of the Government's £1.9 billion, five-year National Cyber Security Strategy to "make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks". The focus on "essential systems" (energy, health, transport, water and digital infrastructure) is intended to minimise the disruption to the UK economy, society and individuals' welfare that could result from a cyber attack. The consultation paper has proposed a series of thresholds so that the enactment will apply only to "more important operators" in each sector. The definition of operators of essential services is one of the core aspects of the public consultation.
Only operators of essential services with their head offices in the UK will have to comply with, and be subject to the sanctions set out in, the implementing legislation. This avoids operators having to comply with multiple national regulations across the EU but raises an interesting question – will operators with headquarters outside the EU be exempt from the security and incident reporting requirements set out in the Directive?
The Government has proposed two bands of penalties, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cybersecurity measures. This mirrors the penalty regime under the General Data Protection Regulations (GDPR). Interestingly, the press release issued by the Department for Digital, Culture, Media and Sport (DCMS) appears to suggest that a fine for breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR, stating that the NIS Directive relates to loss of service, whereas the GDPR deals with loss of data. This could mean that an organisation suffering from a cyber attack, which results in the loss of both services and data could face a "double liability" of fines of up to €40 million. It is also not clear whether related sanctions imposed by other Regulators will be taken into account when determining the sanction for none compliance.
Operators can take some comfort from the fact that fines will be a last resort, and will not be ordered against an operator that has suffered a cyber attack if it has taken appropriate security measures. However, the Government has issued a strong message: "any operator which takes cybersecurity seriously should already have such measures in place". What is meant by "appropriate security measures" is yet to be established and we anticipate a series of further guidance from the Government, the National Cyber Security Centre and the competent authority assigned to the essential sectors , which will evolve over time.
Service providers that are not caught by the thresholds may also be subject to the proposed security measures as these obligations are likely to be flowed down the supply chain. This is because the consultation paper has proposed an obligation on operators to ensure "that appropriate measures are employed where third party services are used".
The closing date for responses to the consultation is 30 September 2017 and all public and private organisations are encouraged to participate. Member States have until 9 May 2018 to implement the NIS Directive into national law. The UK Government has confirmed its intention that the legislation implementing the NIS Directive will continue to apply after the UK has left the EU.
Link to consultation here.
Link to press release here.