The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.
The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy.
OES include companies in the electricity, oil and gas, air, water, road and rail transport, healthcare, water and digital infrastructure sectors. The relevant thresholds are set out in Schedule 2 of the Regulations. A competent authority is designated for each sector.
Affected DSPs include operators of search engines, online marketplaces and cloud computing providers. The relevant definitions are set out in Regulation 1. The ICO has been designated as the regulator for DSPs.
Affected organisations are required to:
- notify the relevant regulator that they fall within the scope of the regulations by
10 August 2018 for OES and by 1 November for DSPs;
- implement appropriate organisational and technical measures to manage cyber risk; and
- report cyber security incidents affecting their operations to their regulator.
- Fines of up to £17m can be imposed to ensure compliance. Organisations covered will need to consider their own cyber practices and those of businesses in their supply chains.
National Cyber Security Centre’s security principles
In March 2018, the National Cyber Security Centre (“NCSC”) published guidance for OES on implementing appropriate cyber security practices in lights of the NISD. It is expected that the sectoral regulators will adopt this guidance. Four objectives and 14 principles are set out; the full guidance may be accessed here. BEIS, the regulator for the energy section, has issued a paper directed to OES in that sector.
The NCSC has also published guidance on the responsibility of OES for compliance with security requirements throughout the supply chain. In line with the requirements of the GDPR, OES must ensure that security requirements are met, regardless of whether the service provider is the operator itself or a third party. The NCSC suggests that OES take a risk-based approach to supplier contracts and incorporate tailored security provisions which are appropriate and proportionate in respect of the risks involved.
Steps moving forward
Organisations should update policies and processes in light of the NIS Regulations coming into force and the current NCSC guidance available, to the extent this has not been done already. In addition, the NIS Regulations require that competent authorities publish and enforce guidance in relation to specific sectors. Therefore, organisations need to keep an eye out for further guidance which is still awaited and is likely to contain key details.