Cyber attacks on the NHS and other critical infrastructure have made many headlines over the last year, yet significant changes to tighten up security are still happening largely under the radar.
This is partly down to the intense focus on the General Data Protection Regulation (GDPR), which takes effect in May. Organisations of all sizes are, quite rightly, very concerned about GDPR obligations.
However, it is perhaps surprising there hasn’t been more discussion about the Directive on Security of Network and Information Systems (the NIS Directive). Depending on the nature of your business, it could be just as important as GDPR.
The NIS Directive is concerned with security of systems and data more generally, not just personal data. A NIS Directive consultation in the UK took place last autumn and the next step, a consultation on the overarching EU body governing cybersecurity, ends on 13th February.
This might seem distant from day-to-day business concerns, but the large-scale WannaCry and NotPetya ransomware cyber attacks last year, including the ransomware hit on the NHS, changed the game. They brought home the fact that such attacks can affect us in the most fundamental ways – by closing our doctor’s surgery or forcing hospitals to cancel operations.
The Autumn 2017 consultation
The consultation last autumn on the NIS Directive was designed to examine how critical IT infrastructure in key sectors of the economy – including energy and health services – can be better-prepared to deal with cyber security threats. The Directive is designed to cover severe threats which could be triggered by attacks on IT infrastructure, such as power failures; literally, a fear that the lights might go out.
There are three central strands to achieving the objectives of the NIS Directive:
- improving cyber security capabilities at a national level
- increasing cooperation on cyber security among EU member states
- introducing security measures and incident reporting obligations for “operators of essential services” in critical national infrastructure
As well as health and energy, this includes transport (air, rail, water and road), suppliers and distributors of water, plus banking and financial infrastructure – although the latter are likely to benefit from certain exemptions.
The NIS Directive also regulates digital service providers (DSPs), such as online marketplaces, cloud computing providers and search engine operators.
Each EU country is responsible for drawing up a list of companies that should be subject to the new rules and identifying criteria to determine which entities are subject to NIS obligations.
Businesses operating in a critical category and on this list must take appropriate security measures and notify the relevant national authority (the Information Commissioner’s Office in the UK) within 72 hours of becoming aware of a significant incident (in line with GDPR reporting timescales).
There are exemptions including DSPs with fewer than 50 employees and an annual balance sheet under €10 million.
Another exemption is likely to apply to the banking and financial services sector. The NIS Directive acknowledges current requirements in respect of certain systems may exceed what is required under the Directive. Where this is the case, firms will be exempt, to the extent that provisions at least equivalent to those specified in the Directive already exist by the time it comes into force. However, firms and financial market infrastructures must continue to adhere to requirements and standards as set by the Bank of England and the Financial Conduct Authority. Additionally, technical guidance to be published by the National Cyber Security Centre will be widely applicable, and relevant to the financial sector.
The Information Commissioner’s view
The UK Government is yet to issue a formal response to the consultation, but comments from the Information Commissioner Elizabeth Denham made interesting reading. While recognizing the need to increase security of essential services, she cautioned against ‘setting overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.
Specifically, Ms Denham questioned whether it was right to reference a specific number of affected users or length of time a service was unavailable to determine whether an incident should be notified. Currently, the threshold is 100,000 users and five million user hours. She thought it would be more useful if the obligation to notify focused on the impact on service users – for example, interruption to a critical service should be notifiable at a lower level, while less business-critical services could tolerate a higher level of interruption.
The current consultation
The current consultation looks at the EU-wide picture, specifically how the European Commission should reform ENISA (the EU Cybersecurity Agency) and establish a framework to govern European cyber security. The proposal aims to provide ENISA with a strengthened, permanent mandate, and to increase the trust and security of ICT products and services.
The Department for Digital, Culture, Media and Sport is seeking the views of all interested groups through industry events. After the consultation closes on 13th February, the UK Government has less than three months (until 9th May) to implement the Directive.
Given the tight implementation timescales, and the prospect of sanctions for operators of essential services and DSPs who don’t comply with the requirements, businesses must be ready for the NIS Directive. If they are uncertain how it might affect them, taking advice on implementation, readiness and compliance should be high on the agenda.
While the principal focus is on businesses providing “essential services” and DSPs, key suppliers and partners of those operators are likely to be affected by a flow-through of contract obligations. Matters are not getting any easier following recent controversy surrounding the Meltdown and Spectre chip vulnerabilities.
With the potential for the same maximum penalties as GDPR (€20 million or 4% of global annual turnover, whichever is higher) and a possible “double hit” for breaches involving personal data, it is vital for businesses affected to consider the NIS Directive alongside GDPR. A failure to do so could be catastrophic – for business, public confidence and wider cyber-security.