The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy.

OES include companies in the electricity, oil and gas, air, water, road and rail transport, healthcare, water and digital infrastructure sectors. The relevant thresholds are set out in Schedule 2 of the Regulations. A competent authority is designated for each sector.

Affected DSPs include operators of search engines, online marketplaces and cloud computing providers. The relevant definitions are set out in Regulation 1. The ICO has been designated as the regulator for DSPs.

Affected organisations are required to:

  • notify the relevant regulator that they fall within the scope of the regulations by
    10 August 2018 for OES and by 1 November for DSPs;
  • implement appropriate organisational and technical measures to manage cyber risk; and
  • report cyber security incidents affecting their operations to their regulator.
  • Fines of up to £17m can be imposed to ensure compliance. Organisations covered will need to consider their own cyber practices and those of businesses in their supply chains.

National Cyber Security Centre’s security principles

In March 2018, the National Cyber Security Centre (“NCSC”) published guidance for OES on implementing appropriate cyber security practices in lights of the NISD. It is expected that the sectoral regulators will adopt this guidance. Four objectives and 14 principles are set out; the full guidance may be accessed here. BEIS, the regulator for the energy section, has issued a paper directed to OES in that sector.

Supply chain

The NCSC has also published guidance on the responsibility of OES for compliance with security requirements throughout the supply chain. In line with the requirements of the GDPR, OES must ensure that security requirements are met, regardless of whether the service provider is the operator itself or a third party. The NCSC suggests that OES take a risk-based approach to supplier contracts and incorporate tailored security provisions which are appropriate and proportionate in respect of the risks involved.

Steps moving forward

Organisations should update policies and processes in light of the NIS Regulations coming into force and the current NCSC guidance available, to the extent this has not been done already. In addition, the NIS Regulations require that competent authorities publish and enforce guidance in relation to specific sectors. Therefore, organisations need to keep an eye out for further guidance which is still awaited and is likely to contain key details.

Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378
Nick Pantlin
Nick Pantlin
Partner, Head of TMT, Sourcing and Data, London
+44 20 7466 2570
Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, TMT, Sourcing and Data, London
+44 20 7466 2384