25 April 2018
The Network Information Systems Directive 2016 (NISD or Cybersecurity Directive) must be implemented into UK law by 10 May 2018. While the GDPR has a broad reach, NISD only impacts on certain businesses. In terms of cybersecurity, the GDPR focuses on protecting personal data, whereas NISD is more concerned with network and systems security and interruption to service. Businesses caught by NISD will also have to comply with the GDPR in respect of any personal data.
10 May 2018 (via implementing legislation).
Interruption to service – an incident i.e. "any event having an actual adverse effect on the security of network and information systems".
OESs and DSPs (subject to certain exceptions).
Capped at £17m in the UK.
OESs: relevant CA (sector specific).
Report to regulator
OES: notify CA of "incidents having a significant impact on the continuity of the essential services they provide".
DSPs: notify CA of "any incident having a substantial impact on the provision of a service […] that they offer within the Union".
Timing of report to regulator
Without undue delay and not later than 72 hours.
Report to data subjects
OESs: no requirement but the CA or CSIRT may inform the public.
DSPs: no immediate requirement but may have to inform an affected OES or be required by CA or CSIRT to inform the public.
Timing of report to data subjects
NISD has a different objective to the GDPR. Rather than focusing on the security of personal data, it deals with the security of network and information systems.
NISD is a minimum harmonisation Directive which means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their “main establishment”.
The UK's implementing legislation is the Network and Information Systems Regulations 2018 (Regulations). The NCSC has already published initial guidance which will be updated shortly and the ICO will also be publishing guidance.
NISD is relevant to you if you are an Operator of an Essential Service (OES) or if you are a Digital Service Provider (DSP) i.e. an online marketplace, an online search engine or a cloud services provider. Where sectors are subject to sector-specific Union legal acts relating to information and network security, these will take precedence (e.g. NISD does not apply to telecoms providers as their security is dealt with by the Framework Directive).
NISD is designed to work alongside data protection legislation. It covers ‘natural persons’ which includes companies, whereas data protection law covers only personal data. As with the GDPR, NISD is intended to have some extra-EU application and will apply to DSPs which are established outside the EU but which offer services within the EU (on more than an incidental and passive basis).
Organisations will be regulated in the Member State of their main establishment which will be where their head office is located. Note that this is a different definition from that used in the GDPR which states that the place of main establishment is presumed to be the data controller’s place of central administration unless the main decision making with regard to the personal data is taken in another Member State.
Where an organisation is subject to NISD but does not have a main establishment in the EU, it must appoint a representative in one of the Member States in which it offers services and it will be subject to regulation in that Member State.
Incident response will be separate from incident reporting. In the UK, all NIS incidents will be reported to the relevant Competent Authority (CA) who will log the incident and decide whether follow up investigation and reporting is required. The National Cyber Security Centre (NCSC) will be the UK's Computer Security Incident Response Team (CSIRT). Voluntary reporting can be made to either the CA or the NSCS. Incident response support on cyber related incidents (e.g. DDoS attacks, malware, hacking) will be provided by the NCSC where required. CAs or possibly the relevant Lead Government Department will provide support for non-cyber or resilience incidents (e.g. hardware failure, fire, physical damage).
DSPs are providers of online marketplaces, online search engines or cloud computing services. These are all defined terms in the Directive which the UK has mirrored in the Regulations:
The UK government has said that it will provide the following clarifications through guidance:
Online search engines
Cloud computing services
The government considers that this primarily (but not exclusively) includes Digital Service Providers that provide public cloud services of the following nature:
UK DSPs (referred to as Relevant Digital Service Providers or RDSPs in the Regulations) are required to register with the UK's ICO, providing their name, address and contact details. The date for registration is:
Regulators are given various general powers but Member States are left to legislate on penalties for non-compliance. There has been a lot of concern around the potential for ‘double jeopardy’ in terms of fines under NISD and the GDPR. The UK government has introduced a maximum financial penalty of £17m for all contraventions under NISD. It cannot, however, remove the possibility of sanctions relating to different aspects of the wrongdoing under other applicable law, including the GDPR.
Note that NISD will not apply directly to suppliers to OES’s or DSPs and enforcement will not take place down the supply chain. OES’s and DSPs will be responsible for ensuring that their suppliers have appropriate measures in place to ensure they are compliant.
Concerns have been raised that different CAs will take different views about enforcement. The government says that while it will encourage cooperation and common procedures, divergence may be appropriate in order to reflect the needs or different sectors.
CAs will be required to take a reasonable and proportionate approach to enforcement. The government recognises that the process of improving network security will take a number of years and is anticipating a collaborative approach by stakeholders.
OESs will be given time to implement the required security measures, and the main priority of CAs in the first year will be information gathering. OESs will be expected to begin analysing their existing systems and security in order to assess what needs to be done.
The recitals to NISD state that the security levels required for DSPs will vary on a case by case basis and they will be subject to a light touch and reactive system of supervision without being subject to general compliance monitoring. CAs should only take action when provided with evidence of non-compliance.
In recently published guidance, the NCSC makes it clear that it does not play a regulatory role. It does, however, have a role in providing support and guidance. It will also take on the following roles:
The NCSC is intending to publish a Cyber Assessment Framework – a systematic means of assessing whether an OES is complying with NISD shortly. In the meantime, it has published guidance on complying with NISD. The advice is based on the 14 Principles set out by the government in its consultation and response to the consultation.
The eagle eyed will have noticed that the GDPR and NISD use different criteria to set out what might be considered to be appropriate technical and organisational measures. However, the intent is broadly the same. An assessment of risk has to be made and appropriate steps need to be taken to prevent that risk from materialising and minimising the damage if it does.
Most organisations caught by the security and breach reporting requirements under NISD, will also be subject to the GDPR. Reporting a breach to the SA under the GDPR will not mean there is no requirement to notify under NISD although DSPs will be regulated by the ICO under both sets of legislation.
To help minimise risk and prepare for the new requirements, see our checklists:
If you have any questions on this article please contact us.