Getting to grips with the NIS Directive (and fines of up to £17m)

Businesses across the UK face an abundance of new regulations in 2018. The new year had barely started before MiFID II was implemented for financial services firms, and the rest of the country – and much of the world – are currently making preparations for the GDPR’s introduction on May 28th.


But May also brings another European piece of legislation to British shores. The EU Directive on the Security of Network and Information Systems – or the NIS Directive for short – is the first Europe-wide law dedicated to cyber security.


While it may not have received as much airtime as the GDPR, non-compliant businesses could face fines of up to £17 million for cyber security failings under the NIS Directive.


Legislation supporting the directive is expected to be in place by May 9th. But which organisations are affected and what constitutes a cyber security breach serious enough for a multi-million-pound penalty? Let’s answer some key questions.

To whom does the directive apply?

The directive aims to improve the security and resilience of the country’s “essential service” and “digital service” providers. Unsurprisingly, many respondents to a government consultation on the issue found these definitions quite ambiguous.


Furthermore, each EU member state has the power to determine what constitutes an essential service, so the directive could apply to different types of organisation in particular countries.


Broadly, the legislation will apply to infrastructure firms that place heavy reliance on IT systems and could have a significant impact on a country’s economy if they were compromised.


In the UK, the government designated organisations operating in these sectors as providing essential or digital services:

  • Water;
  • Energy (including gas, electricity and oil);
  • Healthcare;
  • Transport (including air, maritime and rail);
  • Internet exchange points;
  • Online marketplaces;
  • Search engines;
  • Cloud computing services; and
  • Domain name services.

A full list of essential service providers

and the relevant thresholds for NIS Directive compliance can

be found here.

What are the NIS Directive guidelines for affected firms?

The UK is taking a prescriptive approach to implementing the directive. In other words, the government has tasked the National Cyber Security Centre (NCSC) with producing a set of principles that businesses are expected to follow.


The NSCS has produced 14 rules, which are divided into four overarching objectives:

1. Managing security risk

Organisations will be expected to have appropriate systems in place across four key areas:

  • Governance;
  • Risk management;
  • Asset management;
  • Supply chains.

2. Defending systems against attacks 

Drilling down into the specifics of cyber security, businesses must ensure strong policies in:

  • Service protection policies and procedures;
  • Identity and access control;
  • Data security;
  • System security;
  • Resilient networks and systems; and
  • Staff awareness and training.

3. Detecting cyber incidents 

The NSCS outlines two fundamental points of compliance:

  • Security monitoring; and
  • Anomaly detection.

4. Minimising cyber security incident impact 

When defensive measures have failed, organisations must consider:

  • Response and recovery planning; and
  • Improvements to current systems.

How will non-compliant firms be penalised?

The government has confirmed that regulators will take an “appropriate and “proportionate” approach to breaches, particularly within the first year after the NIS Directive is implemented. Nevertheless, substantial failings could land essential service providers with fines of up to £17 million in the most severe cases.


But can organisations be tried for the same breach twice under both the NIS Directive and the GDPR? Apparently so, with the government claiming that businesses may need to be penalised for wrongdoing under different parts of each piece of legislation.


“We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services,” said Margot James, minister for digital and the creative industries.

“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

Are organisations prepared for the NIS Directive?

A recent government report revealed that only 55 per cent of businesses in the information, communications and utilities industries strongly agree their core employees take cyber security seriously. Just 42 per cent said their senior management or directors see cyber security as a top priority.


These statistics are likely to be concerning for the boards of these companies, many of which could come under the purview of the NIS Directive. The legislation is likely to require significant collaboration between the three lines of defence, as well as input from cyber experts and in-house legal teams.


We don’t yet know how punitive regulators are likely to be regarding breaches, but firms will no doubt want to prepare for every eventuality given the harsh penalties involved.


Image credit: Sitthiphong via iStock