Interaction between the GDPR and the NIS Directive
There is significant overlap between these two pieces of legislation which may sometimes apply to same incidents. The EU Directive on the Security of Network… Read more
There is significant overlap between these two pieces of legislation which may sometimes apply to same incidents.
The EU Directive on the Security of Network and Information Systems (NIS) is due to be implemented in the UK by 9 May 2018 and will place obligations on organisations to secure the technology, data and networks (Systems) used to provide the UK’s essential services and report incidents that affect them. NIS aims to ensure UK operators in essential industries are prepared to deal with the increasing numbers of cyber threats as it requires them to take steps to protect against threats affecting IT systems such as power outages, hardware failures and environmental hazards as well as cyber breaches such as the high profile Wannacry and NotPetya attacks of last year which highlighted the chaos that can be caused when systems stop working regardless of whether there is a personal data element to the attack. There is another aspect to the NIS Directive, affecting “Digital Service Providers” (DSP) where a “less stringent” regime is being introduced for certain cloud service providers, online marketplaces and search engines. This is recognition of the central role that these types of shared online services now play in all areas of our economy and the inclusion of digital service providers within NIS now placesan additional potential breach obligation on these service providers. Although we are still awaiting national implementing regulations, the UK government consulted on implementing NIS in late summer 2017. In the consultation, it asked about its definition of a DSP. It considered it necessary to clarify the three different types of DSPs in order to be able to identify those companies that do fall within the DSP definition.
The regime applying to DSPs is arguably less stringent because assessment of compliance and enforcement can only be carried out after an incident or if a company is reported to the Competent Authority as being non compliant with the Directive or implementing regulations. The government has stated that DSPs that employ fewer than 50 persons and whose annual turnover or balance sheet total does not exceed €10 million are automatically out of scope. Unhelpfully, it remains unclear whether these criteria are cumulative or alternatives.
Three types of DSP for UK
When issuing its response to the public consultation on 29 January 2018, the government acknowledged the difficulty in defining a Digital Service Provider, but repeated that in order to assist the Competent Authority (which will be the Information Commissioner’s Office for DSPs) and for the DSPs themselves to recognise whether they are in scope of NIS, three types of DSPs should remain:
- Online marketplaces: defined as a platform that acts as an intermediary between buyers and sellers facilitating the sale of goods and services. Online marketplaces, classified advert sites or online retailers are not included.
- Online search engines: allowing users to perform searches of the public parts of the worldwide web – site engines powered by other site engines do not fall within this.
- Cloud Computing Services: means any DSP that enables access to a scalable and elastic pool of shareable physical or virtual resources including providing public cloud services of the following nature: ‘Infrastructure as a Service’ (IaaS), ‘Platform as a Service’ (PaaS) and ‘Software as a Service’(SaaS). The Consultation response states that online gaming, entertainment or vOIP services are likely excluded but that SaaS providers “play an important role in the UK’s economy and it is right that they are held responsible.”1
The majority of responses to the consultation focussed on the cloud service providers, or CSPs (the third limb). The main issues raised by CSPs was difficulty in identifying what types of organisations should be classified as a DSP under the Directive. Some of the themes included the need for broader parameters such as widening definitions of Cloud and SaaS to include integration services, content providers, data centres and managed services, while others felt that definitions were too narrow and that all DSPs should fall under the Directive as many businesses rely on the Internet and digital services. CSPs have raised concerns that the criteria are not clear enough and that the use of the term “cloud” itself is misleading, questioning what might happen in the future if new types of “Cloud” service are produced, noting that there are already emerging technologies that do not fit well into the IaaS, SaaS, PaaS categories. Those that potentially fall within the definition of DSP highlighted, amongst other things, the additional cost that would need to be added to the services.
The government, however, has kept to its definitions in its response to the Consultation and has made a key point that: “[T]he government’s intention has always been to try to make it clear who was in scope and who was not, and to limit the scope of those who have to comply with the Directive to those companies whose loss of service could have the greatest impact on the UK economy either directly or through impact on other companies.”
The NIS provides a list of 14 security principles that DSP’s should abide by to ensure compliance. In addition, DSP’s should consider the 14 (different) security principles set out by the National Cyber Security Centre. The implementing regulation (Regulation) which was released shortly after the government’s response to the Consultation also sets out the elements to be taken into consideration when identifying and taking measures to implement a level of security. More broadly the implementing Regulation sets out the parameters to determine whether the impact of an incident is substantial and when an incident will be considered substantial. Incidents with a “substantial impact” will need to be notified to the ICO within the same 72-hour timeframe as the General Data Protection Regulation requires.
According to the Regulation (Article 4), the impact of an incident will be considered “substantial” where:
- The service provided by the DSP was unavailable for more than 5 million user-hours (i.e. the number of affected users within the EU for a duration of an hour);
- The incident has caused a loss of integrity, authenticity or confidentiality of transmitted, stored or processed data or the services relating to it offered by or accessible by a network or system of the DSP affecting more than 100,000 users in the EU;
- The incident has caused a risk to public safety, public security or risk of loss of life; or
- The incident has caused material damage to at least one user in the EU exceeding €1million in value.
Providers of private clouds, particularly to large enterprise customers will need to carefully consider how reporting an incident under point 4 above would or would not potentially prejudice a DSP’s position if faced with claims from customers for the loss of service or damage caused by the incident.
Organisations that are required to report under NIS will also be subject to the reporting requirements of the GDPR although of course the NIS reporting regime is wider than the requirement to notify personal data breaches pursuant to GDPR. The GDPR and NIS use different criteria to establish what might be considered to be appropriate technical and organisational measures with far greater detail being provided in the implementing Regulations under NIS. What does seem possible is that DSPs who report a personal data breach under GDPR where such breach would not be considered an incident having a “substantial impact” under NIS, could lead to the same DSP inadvertently highlighting that it is not compliant with the security elements set out in Article 2 of the NIS implementing Regulation.
Failure to comply with NIS could result in fines of up to £17 million being imposed. Unlike the level of fine available under the General Data Protection Regulation (GDPR), the UK government has stated that it will impose an overall cap of £17 million with the two bands for contraventions being merged – so there is a single fine band covering all contraventions. The UK government has recognised the risk of “double jeopardy” and this may discourage voluntary reporting, but has reiterated that competent authorities will need to act reasonably, appropriately and proportionately. However, cybersecurity needs to be taken seriously and the government believes the potential level of fines will incentivise a change in behaviour.
Security measures to merge?
In relation to notification of personal data breaches or incidents that have a “substantial impact” under NIS for DSPs or operators of essential services, this clearly needs to be provided for and managed within a supply chain to ensure issues are reported promptly. Although the First Tier Tribunal reached a conclusion under a different regime in the TalkTalk case, the Tribunal did find in relation to whether Talk- Talk knew of the data breach that due to the extensive detail of the breach provided by the customer, TalkTalk would have been aware of the breach and must have realised that the circumstances described by the customer could only have arisen by reason of a data breach. Under the NIS regime where the National Cyber Security Centre will play the role of the technical authority – assisting companies responding to a potential incident – companies will need to be aware of discussions and conversations (even informal) that are taking place between their IT department or security teams with the NCSC or its supply chain and when such discussions may start the 72-hour notification timeframe. DSPs may find themselves faced with a potential decision of failing to notify within timeframes or making voluntary notification and inviting a wider regulatory scrutiny by the ICO.
From a customer perspective, the Regulation provides a helpful checklist of the security parameters expected from a DSP. Considering this guidance and the duties on Controller customers in relation to due diligence when selecting processors, it is hard to see how the two regimes, at least from a security perspective will not merge, unless of course a System is not storing personal data. From a DSP perspective it seems likely that the cost base of doing business will increase, although arguably if this reduces the overall risk profile of Controller customers, then this may be a price most are willing to pay.
First published on www.privacylaws.com March 2018
1 Page 13, Security of Network and Information Systems, Governmentresponse to public consultation, January 2018, Department for Culture, Media and Sport. See www.gov.uk/government/consultation s/consultation-on-the-security-ofnetwork-and-information-systemsdirective
2 As above.
3 Commission implementing regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.