New cybersecurity regulations to take effect on 10 May
The EU Network and Information Security Directive, or Cybersecurity Directive, tackles head-on the increasing problem of cybersecurity breaches in nationally important systems and services.
We reported in January on the UK Government's plans to implement the Cybersecurity Directive, and the debate around contentious areas like what sectors should be covered and which regulators should be responsible for oversight. The finalised regulations have now been published (the Network and Information Systems Regulations 2018) and will take effect on 10 May. The Department for Digital, Culture, Media and Sport (DCMS) also published its Impact Assessment and some further guidance directed towards the regulators earmarked to ensure compliance.
The DCMS guidance makes it clear that there is a need for regulators to be pro-active and engage with their respective industries now in an attempt to ensure a smooth transition into the new cybersecurity regime. It recommends that they develop an oversight process by which they can monitor the application of the NIS Regulations by the industries in their sector. We can expect the regulators themselves to publish further guidance for their sectors within the next couple of months on how they will approach their tasks and the incident reporting requirements for their sector.
As well as services deemed essential like healthcare, digital infrastructure, transport, and energy and water distribution, the NIS Regulations also target specified Digital Service Providers, or DSPs. Note the difference between digital infrastructure that falls within the “essential” category (major TLD registries, DNS services, IXP operators) and DSPs (online marketplaces, online search engines and cloud computing services reaching a threshold size).
DSPs will be caught by the NIS Regulations but subject to a reduced set of obligations overseen by the Information Commissioner's Office (ICO). We can expect sector guidance for DSPs from the ICO, to be produced in collaboration with other EU regulators and the European Network and Information Systems Agency (ENISA).
What do the NIS Regulations require organisations to do?
In summary, operators of essential services caught by the regulations will have to
- “take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies”. These measures “must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed”
- “take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services”
- have regard to relevant guidance
- notify the relevant regulator of any adverse incident that “has a significant impact on the continuity of the essential service which that OES provides”.
A digital service provider falling with the regulations will have to “identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies”, and notify the ICO about incidents having a “substantial impact”.
Tough penalties for non-compliance
Many in the affected industries will be relieved to see that the percentage of total turnover method for calculating fines has been removed. But penalties for failure to comply with enforcement notices from regulators could be very substantial - up to £17m for the most serious breaches. The risk of being penalised twice for the same incident under different regimes remains. A security breach could lead to penalties under the cybersecurity regulations and GDPR for example. The guidance requires regulators to take account of other enforcement action when deciding the appropriate fine, and there is an appeal procedure.
What about Brexit?
The DCMS guidance makes clear that the UK intends to continue to comply with the Cybersecurity Directive after the UK leaves the EU.