On 29 January 2018 the UK Government published its much awaited response to the Security of Network and Information Systems Directive (‘NIS’) consultation, which was launched on 8 August 2017 with a response expected before the end of 2017. Emma Wright, Partner at Kemp Little, reviews the key points found within the Government’s response to the consultation, and looks at what Digital Service Providers and Operators of Essential Services should do now to ensure compliance ahead of the 9 May 2018 implementation date.
Member States have until 9 May 2018 to implement NIS; it will introduce obligations to secure the technology, data and networks (‘Systems’) used to provide the UK’s essential services and report incidents that have a significant impact on them whether that be through a cyber event, an event typically seen as a ‘force majeure event’ or another physical event where there is an impact on the security of the Systems.
The key industries affected are: water, electricity, oil, gas, digital infrastructure, health and transport, although the UK Government will have six months from implementation to notify those companies that will need to comply. Those companies notified are treated as Operators of Essential Services (‘OESs’) for the purposes of NIS.
Banks and financial market infrastructure sectors are caught by NIS but it was made clear in the original consultation that this sector will be exempt to the extent that at least equivalent provisions exist and Financial Conduct Authority and Bank of England rules will continue to apply. The analysis of who is an OES in that sector has not been carried out as it was determined that at least equivalent provisions will exist by the time NIS is implemented.
There is a similar regime being introduced for Digital Service Providers (‘DSPs’). A DSP under NIS falls within three categories: cloud service providers, online marketplaces and search engines who will need to determine whether or not they are in scope. DSPs that employ fewer than 50 people and/or with an annual balance sheet or turnover that does not exceed €10 million are excluded from NIS. Those that aren’t automatically excluded have to determine whether they fall within the DSP definition and take appropriate steps rather than wait for notification by a Competent Authority (which for DSPs in the UK is the Information Commissioner’s Office (the ‘ICO’)). The UK did state in its consultation that it would be following the GDPR as closely as possible to reduce the burden on businesses. The Implementing Regulation laying down the rules for DSPs to implement NIS in relation to the security elements, parameters to determine whether the impact of an incident is substantial and the objective criteria where an incident will be determined as substantial, was published on 30 January 20181.
Close to 300 responses to the initial Government Consultation were received, with the majority of responses from the energy sector, followed by the rail sector.
There were some key points in the Government response:
- It remains the UK Government’s intention that the police provisions of the NIS will continue to apply after Brexit.
- The multi-competent authority approach proposed in the consultation has been confirmed in line with long-standing Government policy that ‘Lead Government Departments’ take responsibility for all risks including cyber.
- A distinction has been drawn between the role of the National Cyber Security Centre (‘NCSC’) in supporting incident responses and the role of the Competent Authority when dealing with an incident that has been reported for regulatory compliance programmes. This distinction has been made to allow the NCSC to carry out its role in providing expert advice and incident response capability.
- The NCSC will perform the advisory role of the Computer Security Incident Response Team (the ‘CSIRT’) and it will also be the Technical Authority for cyber security, publishing guidance and assessment tools for use both by OESs and Competent Authorities.
- “The Government accepts that there is a need for extra clarification on the role of the Competent Authority,” what the interaction is between the Competent Authorities and with other regimes such as the GDPR. The aim is to publish further guidance prior to May 2018.
- Simplification of the penalty regime to “reduce the risk of fines in excess of £17 million.” The two penalty bands are being merged and the ability of a fine to be a percentage of global turnover is now removed.
- The reporting timeframes have been set to align with the GDPR regime although the ICO did comment in its response that reporting pursuant to NIS will not be sufficient for GDPR purposes - it is unclear whether it is expecting two notifications in relation to the same incident from a DSP if both NIS DIRECTIVE The UK Government’s response to its consultation on the NIS Directive On 29 January 2018 the UK Government published its much awaited response to the Security of Network and Information Systems Directive (‘NIS’) consultation, which was launched on 8 August 2017 with a response expected before the end of 2017. Emma Wright, Partner at Kemp Little, reviews the key points found within the Government’s response to the consultation, and looks at what Digital Service Providers and Operators of Essential Services should do now to ensure compliance ahead of the 9 May 2018 implementation date. NIS and the GDPR are triggered.
- For OESs, it is for the OES together with the Competent Authority to identify the Systems used for the ‘provision of the service.’
- The Government has stated it is for an OES to ensure that its supply chain takes appropriate security measures as NIS will not apply directly to the supply chain. The one grey area onthis point would of course be those DSPs that are used by OESs for them provision of the essential service.
- It is for the Competent Authorities to produce clearer guidance and publish actual thresholds to determine a reportable incident for an OES. In order to do this, a Competent Authority will need to determine what a significantimpact would be in its sector.
- The high level security principles set out in Annex 3 of the response willnot fundamentally change although more detail will be provided and OESs are expected to meet these by the date NIS is implemented in the UK. In relation to resilience in particular, current industry standards will not be changing. This does provide a high level framework for those caught by NIS to start implementing now.
- The Government states that OESs will be given time to implement the necessary security measures on their systems, recognising that the process of improving security in some of these sectors will take a number of years. The Government does state however that Competent Authorities will have the power to issue penalties where significant compliance issues have been discovered and it is evident that OESs are not taking active efforts to remedy them.
There is no doubt that in the age of cyber wars, security, both physical and online, needs to be given greater prominence - particularly for key pieces of national infrastructure. The Government’s position is that although NIS introduces more costs for OESs and DSPs it is of national importance that our key infrastructure is protected. Such arguments, in our present day, are difficult to counter. What is achieved by NIS in the short term however remains to be seen. What is clear is that although there is detail still to be provided, working towards compliance needs to happen as soon as possible so potential OESs and DSPs should:
- Assess whether their organisation falls within the ‘Table of essential services and identification thresholds’ set out in Annex 1 of the Government response to the Public Consultation or is a DSP that is not excluded.
- Review the high level security principles (Annex 3 in the Government response to the Public Consultation) to ensure it is reflected in their organisation’s information security policies, processes and procedures and if not make this a priority to implement.
- If they are an OES, assess their Systems, determine who is responsible for them (particularly as many OESs rely on shared infrastructure systems) and what the supply chain is for the provision of such Systems, in preparation for further dialogue and consultation with their Competent Authority.
- Review their breach notification systems to ensure they capture incidents where there is a duty to notify their Competent Authority under NIS.
The Cyber Assessment Framework (‘CAF’) was provided by the NCSC on the same day as the Government response to the Public Consultation and this was in accordance with the original timeframe. It is now for the individual CompetentAuthorities to set out how OESs should interpret the CAF for their own risk management procedures once the legislation is implemented. In November 2018 further sector specific guidance reflecting the unique circumstances of the particular sector is expected from the
Competent Authority. This is anticipated to be designed after further discussion with the OESs and with support from the NCSC. There is still a lot of detail to be determined for OESs, so being proactive in any assessment of Systems potentially caught by NIS will ensure that discussions with a Competent Authority can be framed appropriately and costs to the business adequately captured. Many OESs rely on a complex web of interconnected systems and a supply chain that may have in fact been inherited so trying to review terms and establish responsibility will be a difficult task even without a tight timeframe.
Originally published in the Cyber Security Practitioner