The public consultation issued by the UK Department for Digital, Culture, Media & Sport on implementing the EU Network and Information Security Directive (“Cyber Security Directive”) into national legislation closed on 30 September 2017 (the “Consultation”).
The Consultation sets out the UK Government’s planned approach for implementing the Cyber Security Directive, along with a series of questions on a range of detailed policy issues relating to the implementation. It seeks to obtain views from industry, regulators and other interested parties on the proposed plans. The Government is currently analysing feedback and a formal response is expected in December 2017 (within ten weeks of the consultation closing date). The Government has also confirmed its intention for the implementing legislation to continue to apply in the UK post-Brexit (refer to our previous related article for further detail).Background
The so-called Cyber Security Directive was adopted by the European Parliament on 6 July 2016. Member States have until 9 May 2018 to transpose the directive into domestic legislation and it will apply from 10 May 2018. The Cyber Security Directive intends to provide legal measures to boost the overall level of cyber security in the EU, by:
- ensuring that Member States have in place a national framework to support and promote the security of network and information systems, consisting of a National Cyber Security Strategy, a Computer Security Incident Response Team (“CSIRT”), a Single Point of Contact (“SPOC”) and a national competent authority (or authorities) in respect of network information security;
- setting up a co-operation group to support and facilitate strategic cooperation and the exchange of information among Member States; and
- ensuring the framework for security of network and information systems is applied effectively across sectors which are vital for the economy and society and those that rely heavily on information networks, including energy, transport, water, healthcare and digital infrastructure sectors.
- Businesses in these sectors that are identified by Member States as “operators of essential services” will have to take appropriate and proportionate security measures to manage risks to their network and information systems and notify serious incidents to the relevant authority.
- Key “digital service providers” (e.g. search engines, cloud computing services and online marketplaces) will also have to comply with security and incident notification requirements established under the Cyber Security Directive.
Some of the key elements proposed by the Government in the Consultation include:
- Sanctions regime: An approach similar to that of the General Data Protection Regulation (the “GDPR”) to provide consistency with the Government’s overall regulatory approach towards cyber security. Member States are required to lay down rules on penalties that apply for breaches of the national provisions – these must be effective, proportionate and dissuasive. The two tier bands proposed in the Consultation comprise:
- Tier 1: a maximum of €10 million or 2% of global turnover (whichever is greater) for lesser offences (such as failure to cooperate with the competent authority and failure to report a reportable incident); and
- Tier 2: a maximum of € 20 million or 4% of global turnover (whichever is greater) for failure to implement appropriate and proportionate security measures.
- The Information Commissioner (the “ICO”) published her response to the Consultation on 29 September 2017. In her response, she concurred with the Government’s intention to align the penalty regime with the GDPR but advised that further clarity was required on this alignment. The ICO also advised the Government to take into account the guidelines on administrative fines that were published by the Article 29 Working Party in October 2017.
- The Government provides some comfort that financial penalties will only be levelled as a last resort where it is assessed that appropriate risk mitigation measures were not in place without good reason and acknowledges that the maximum fines would only be appropriate in the most “egregious incidents”. However, interested parties have commented that the proposed regime seems disproportionate compared to other regimes elsewhere in Europe, for example, in Germany the IT Security Act intends to levy a maximum fine of up to € 50,000 for any breach of security and reporting obligations and a maximum fine of €100,000 for non-compliance with a direct order from the German regulator.
- Operators of essential services (“OES”): A proposed approach to identify these operators using four criteria which are set out in an annexure, namely: the sector (the broad part of the UK economy); subsector (specific elements within an individual sector); essential service (the specific type of service) and identification thresholds to identify essential operators (e.g. through size or impact of the events sought to be prevented).
- The proposed thresholds are stated to be “at such a level so as to capture only the most important operators in each sector based on potential of a disruption to their essential service resulting in what the government considers would be a significant disruptive effect” with separate thresholds to be established for incident reporting. The Government has attempted to make these criteria as clear as possible to allow operators to determine whether they need to comply with the directive.
- The Consultation also acknowledges that the banking and financial market infrastructure sectors within scope of the Cyber Security Directive will be exempt from certain aspects of the legislation where provisions at least equivalent to those in the directive will already exist by the time the directive comes into force. The identifying process for operators of essential services is one such example. Firms and financial market infrastructure within these sectors must continue to adhere to requirements and standards set by the Bank of England and/or the Financial Conduct Authority.
- Service providers not caught by the thresholds in the annexure may still be subject to the proposed security measures. The Consultation also proposes a reserve power for the Government (or relevant competent authority) to designate specific operators in the implementing regulations, even though they are outside of the thresholds. This limited power is envisaged to apply where there are valid reasons on the grounds of national security, a potential threat to public safety or the possibility of significant adverse social or economic impact resulting from a disruptive incident.
- Digital Service Providers (“DSPs”): Proposed definitions for each of online marketplace, online search engine and cloud computing services.
- Competent Authority: A proposal to nominate multiple sector-based competent authorities to be responsible for implementing the Cyber Security Directive (rather than a single national competent authority). Whilst a balance is necessary between expertise in the security of network and information systems (which a single authority may more easily develop), the Consultation acknowledges that this needs to run alongside ensuring the nominated authority has a detailed understanding of the individual sectors and their associated challenges, something which multiple competent authorities may more easily facilitate. The Consultation sets out a table of proposed competent authorities divided by sector, with the ICO proposed as the competent authority for DSPs, for example.
- Where operators provide services in more than one sector and therefore fall under the remit of more than one competent authority, the Consultation confirms that the relevant authorities will be encouraged to cooperate and provide consistent advice and oversight. The same approach is encouraged where an incident crosses regulatory boundaries (e.g. a NIS incident that also involves the loss of personal data). In these circumstances, the ICO’s response clarifies that any requirement to notify the NCSC about a breach under the Cyber Security Directive will not satisfy the requirement to inform the ICO of data breaches where required under the GDPR, which will need to be reported separately.
- Security requirements for operators of essential services: A guidance and principle based approach to implement the security requirements set out in the Cyber Security Directive. The Government’s proposed high level security principles are set out in an annexure to the Consultation and include a principle specifically to address supply chain protection i.e. so that an organisation understands and manages security risks to the network and information systems supporting the delivery of essential services arising from dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. The principles will be complemented by more detailed guidance (including sector specific guidance). The Government proposes a similar principles and guidance based approach to security measures for DSPs with the aim of ensuring the guidance is as close to the ENISA guidance as possible (refer to our related article here for further detail on the ENISA guidance).
• Incident reporting for operators of essential services: A proposal for how to define an incident for the purpose of the Cyber Security Directive, thresholds for determining whether an incident has a significant impact and the timeframe within which an incident must be reported. The Government states its aim to align reporting requirements under the Cyber Security Directive with existing arrangements where possible. A similar strategy is set out in respect of DSPs. All reporting is proposed to be to the NCSC, as the dedicated CSIRT for the purpose of the directive.
• The Government considers knowledge of threats and incidents to be an important part of understanding risks and mitigating possible threats. It has therefore also proposed voluntary reporting of incidents that do not meet the specified thresholds – such as where operators have to take action to maintain supply, provision, confidentiality or integrity of the service. Whilst this voluntary reporting will not subject the OES to increased liability, the competent authority will expect an OES to respond to these incidents as part of their duty to ensure that appropriate risk-management measures are in place to mitigate the impact of any adverse incident.
• Whilst the Cyber Security Directive simply states the need to notify an incident “without undue delay”, it is common to set a maximum period in which companies have to report. The Government seeks to align this with the requirements of the GDPR by suggesting “without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of an incident”. However, given the slight differences in the drafting used when compared to the corresponding GDPR provision, the ICO has commented that a direct transposition of the equivalent provision would more readily achieve such alignment – not least inclusion of the words “where feasible” with reference to the time period. Where existing arrangements for incident reporting relating to loss of supply of critical / essential service exist and are of a shorter time frame, these will remain in place.
In the meantime, on 13 September 2017 the European Commission also published a draft implementing regulation in respect of the Cyber Security Directive which will no doubt feed into the DCMS’s forthcoming formal response to the Consultation. Once finalised the EU implementing regulation (including some of the thresholds and other tests for what constitutes a “substantial” incident for Digital Service Providers) will have direct effect while the UK remains in the EU, but not afterwards. It remains to be seen whether any further national legislation such as the Great Repeal Bill will seek to mirror the requirements of the EU implementing regulation (including the test for whether there is an impact on users in the remaining Member States of the EU).
The DCMS Consultation document can be found here.
The draft European Commission Implementing Regulation can be found here.