Accessibility Links

Getting to grips with the NIS Directive (and fines of up to £17m)

05 / 04 / 2018
Businesses across the UK face an abundance of new regulations in 2018. The new year had barely started before MiFID II was implemented for financial services firms, and the rest of the country - and much of the world - are currently making preparations for the GDPR's introduction on May 28th. 

But May also brings another European piece of legislation to British shores. The EU Directive on the Security of Network and Information Systems - or the NIS Directive for short - is the first Europe-wide law dedicated to cyber security. 

While it may not have received as much airtime as the GDPR, non-compliant businesses could face fines of up to £17 million for cyber security failings under the NIS Directive.

Legislation supporting the directive is expected to be in place by May 9th. But which organisations are affected and what constitutes a cyber security breach serious enough for a multi-million-pound penalty? Let's answer some key questions. 

To whom does the directive apply? 

The directive aims to improve the security and resilience of the country's "essential service" and "digital service" providers. Unsurprisingly, many respondents to a government consultation on the issue found these definitions quite ambiguous. 

Furthermore, each EU member state has the power to determine what constitutes an essential service, so the directive could apply to different types of organisation in particular countries. 

Broadly, the legislation will apply to infrastructure firms that place heavy reliance on IT systems and could have a significant impact on a country's economy if they were compromised. 

In the UK, the government designated organisations operating in these sectors as providing essential or digital services: 

Water; 
Energy (including gas, electricity and oil); 
Healthcare; 
Transport (including air, maritime and rail); 
Internet exchange points; 
Online marketplaces; 
Search engines; 
Cloud computing services; and 
Domain name services. 

A full list of essential service providers and the relevant thresholds for NIS Directive compliance can be found here. 

What are the NIS Directive guidelines for affected firms?

The UK is taking a prescriptive approach to implementing the directive. In other words, the government has tasked the National Cyber Security Centre (NCSC) with producing a set of principles that businesses are expected to follow. 

The NSCS has produced 14 rules, which are divided into four overarching objectives: 

1. Managing security risk

Organisations will be expected to have appropriate systems in place across four key areas: 

Governance; 
Risk management; 
Asset management; 
Supply chains. 

2. Defending systems against attacks 

Drilling down into the specifics of cyber security, businesses must ensure strong policies in: 

Service protection policies and procedures; 
Identity and access control; 
Data security; 
System security; 
Resilient networks and systems; and
Staff awareness and training. 

3. Detecting cyber incidents 

The NSCS outlines two fundamental points of compliance: 

Security monitoring; and 
Anomaly detection. 

4. Minimising cyber security incident impact 

When defensive measures have failed, organisations must consider: 

Response and recovery planning; and
Improvements to current systems. 

How will non-compliant firms be penalised? 

The government has confirmed that regulators will take an "appropriate and "proportionate" approach to breaches, particularly within the first year after the NIS Directive is implemented. Nevertheless, substantial failings could land essential service providers with fines of up to £17 million in the most severe cases. 

But can organisations be tried for the same breach twice under both the NIS Directive and the GDPR? Apparently so, with the government claiming that businesses may need to be penalised for wrongdoing under different parts of each piece of legislation. 

"We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services," said Margot James, minister for digital and the creative industries. 
Add new comment
*
*
*