The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.
The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading
Cyber security remains in the public eye with multiple incidents and vulnerabilities reported affecting telecoms companies. Telecoms companies need to continue to focus on the risks and consider updating their pro-active defence and cyber security response plans to reflect the increased legal, operational, technical and regulatory risks they are facing.
The evolution of the cyber threat has not escaped the attention of governments around the world. In 2018 the Network and Information Security Directive (NISD) as well as the General Data Protection Regulation (GDPR) will be implemented in the EU. The NISD, which is due to be implemented by May, will require operators of core “digital infrastructure” and certain “digital service providers” to ensure that their network and information systems meet minimum standards of cyber security. Continue reading
The public consultation issued by the UK Department for Digital, Culture, Media & Sport on implementing the EU Network and Information Security Directive (“Cyber Security Directive”) into national legislation closed on 30 September 2017 (the “Consultation”).
The Consultation sets out the UK Government’s planned approach for implementing the Cyber Security Directive, along with a series of questions on a range of detailed policy issues relating to the implementation. It seeks to obtain views from industry, regulators and other interested parties on the proposed plans. The Government is currently analysing feedback and a formal response is expected in December 2017 (within ten weeks of the consultation closing date). The Government has also confirmed its intention for the implementing legislation to continue to apply in the UK post-Brexit (refer to our previous related article for further detail). Continue reading
The new report referenced in the article above, follows comprehensive guidelines (the “Guidelines“) published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for “digital service providers” (“DSPs“) across the EU, in the context of the Cyber Security Directive.
DSPs: The Cyber Security Directive sets out obligations in respect of “operators of essential services” and DSPs, with a slightly “lighter touch” approach applying to the latter. DSPs are limited to three types of services:
- online marketplaces – which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online “intermediaries” to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
- online search engines – excluding search functions that are limited just to the content of a specific website; or
- cloud computing service providers – spanning a wide range of activities that can be delivered according to different models.