While businesses ready themselves for the General Data Protection Regulation (the "GDPR"), operators of essential services also need to ensure compliance with further EU legislation. The EU Network and Information Security (NIS) Directive (the "Directive") aims to establish an EU-wide security framework, including cyber security, which will complement the new data protection requirements detailed in the GDPR.
The UK government published a consultation last week seeking views from industry, regulators and other interested parties on its plans to implement the Directive.
The Directive requires operators of essential services (private or public organisations that provide services in critical sectors such as energy, transport, banking, finance and health) and digital service providers (online marketplaces, search engines and Cloud computing service providers) to implement appropriate security measures to protect and ensure the continuity of its IT network used to support essential services.
Whereas the GDPR is aimed at protecting personal data, the Directive is aimed at protecting essential infrastructure and is not therefore limited to personal data. As such, although it is possible that a data breach may lead to liability under both the GDPR and the Directive, this will not always be the case. For instance, a data breach which leaked personal data may lead to a liability under the GDPR if the relevant data controller failed to report the breach and/or did not have compliant data protection measures in place but this wouldn't necessarily lead to a liability under the Directive unless (a) that data controller was providing an essential service; and either (b) the breach put those services out of action without adequate business continuity management in place; or (c) the provider failed to notify the competent authority. More information on compliance is provided below.
Commentators have criticised the Directive for focusing on large organisations and excluding SMEs which may still have significant processing capabilities. Furthermore SMEs could be used as a bridge to attack bigger organisations where they form part of the essential services supply chain.
Penalties for non-compliance are not prescribed in the Directive but must be “effective, proportionate and dissuasive”. We will likely have more information following the consultation.
Operators of essential services caught under the Directive must:
- take "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use" having particular regard to: (a) systems security; (b) incident handling; (c) business continuity management; (d) monitoring, auditing and testing; and (e) compliance with international standards; and
- notify the competent authority without undue delay of any incident having a substantial impact on the provision of critical services.
The Directive entered into force in August 2016. EU member states – including the UK – must implement the Directive into national law by 9 May 2018, and have a further six months to identify the “operators of essential services and digital service providers”.
The UK government confirmed in its December 2016 Cyber Security Regulation and Incentives Review that the NIS Directive will be implemented in the UK irrespective of Brexit.
The UK government published its consultation paper last week. The consultation sets out the government's proposed approach and asks a series of questions on policy issues relating to the Directive.
If your business is affected by the Directive, this is your opportunity to engage with the process and to take action to prepare for the legislation next year.