Airlines and cyber risk: what is your legal obligation?

By Simon Shooter, Paul Briggs, Leo Fattorini

01-2019

点击阅读简体中文版 >

What is NISR and who is impacted?

Many of you will be familiar with the NISR (Network and Information Systems Regulations), which came into force on 9 May this year and which have been designed to prevent critical national infrastructure of EU countries in case of a cyber attack. These regulations have largely been largely overlooked to date, as many organisations find themselves spending all of their time and money on dealing with GDPR. These regulations impact two key categories of organisations: Operators of Essential Services (OESs) and Digital Service Providers (DSPs). A third category affected - to a lesser degree - is suppliers to these OESs and DSPs with access to networks and information systems.

What does this mean for airlines?

The principal requirements on OESs, such as airlines, is that they must be able to demonstrate that they have taken appropriate and proportionate measures to manage the risks posed to the security of their network and information systems, and that they have such measures in place to prevent and minimise the impact of such an incident. If you have operations in the EU, you should have recently registered with a local competent authority. 

What you may not be aware of is that you may also be considered a Digital Service Provider for the purposes of these regulations and will also be required to comply.

DSPs under the NISR are defined as either a (i) search engine, (ii) cloud computing service, or (iii) online marketplace. A more detailed explanation of this definition can be found here. Nowadays most airlines allow consumers to purchase travel insurance, car hire and hotels through their websites, which meets the requirements for (iii) above.

By way of example, in the UK, if you meet one of the criteria above and:

  • Have a head office in the UK or have a nominated UK-based representative; and
  • Employ more than 50 people and have an annual turnover of more than 10 million euros 

Then you should have registered with the competent authority, the Information Commissioner's Office (ICO), by 1 November 2018. Looking outside of the UK, you can view our tracker to learn more about the jurisdictional differences across the EU.

What do I need to do?

You can view our series of videos for advice on how to prepare for NISR and view our tracker to learn more about jurisdictional differences. Get in touch to find out how we can help you.

I'm not EU-headquartered, does this still impact me?

Yes: if you are not EU headquartered, but have operations in the EU or provide services to EU based consumers, you will need to choose an EU jurisdiction within which to register: view our tracker to find out more about the differing penalties in the various jurisdictions. Or team can help.

Need more help?

Our multi-disciplinary cyber security team, led by Simon Shooter, would be delighted to assist and to provide advice on registration and all other aspects of NISR.