Across Europe and the UK, cybersecurity strategy is on the agenda for a regulatory refresh amid concerns about the ability of current legislation to provide robust cybersecurity protection.
As a result, the European Commission published a new Cybersecurity Strategy in January and plans to revise the Security of Network and Information Systems Directive (NISD) and introduce a Critical Entities Resilience Directive (CERD) to update the European Critical Infrastructure Directive.
The UK has also increased its focus on network and information systems security, with its own proposals to update its NIS Regulations (which transposed NISD into UK law) and to enact a Telecommunications Security Bill.
EU Cybersecurity Strategy
In December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy announced their new Cybersecurity Strategy. It aims to boost Europe's collective resilience against cyberthreats, involving cooperation and harmonisation across Member States, as well as plans for international cooperation and common standards.
In addition to revising NISD and introducing CERD, the Commission proposes launching a network of Security Operations Centres across the EU to be powered by AI which will act as a cybersecurity shield, able to detect signs of an attack and trigger pre-emptive or mitigating action. Support will also be created for SMEs under Digital Innovation Hubs.
NIS2 Directive
Overview
NISD was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States had to transpose NISD into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018.
NISD provides legal measures to boost the overall level of cybersecurity in the EU by ensuring Member States are appropriately equipped to deal with issues via a Computer Security Incident Response Team and a competent national NIS authority. NISD also set up a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among Member States.
Crucially the Directive also imposes security and breach notification requirements for operators of essential services and qualifying digital service providers providing one or more of online marketplaces, online search engines and cloud computing services.
Key proposed changes
There was initially discussion regarding the re-characterisation of NISD to a Regulation in an attempt to reduce fragmentation across the EU, but current plans are to revise the existing Directive to create what is popularly known as the NIS2 Directive.
NIS2 will cover medium and large enterprises across a wider range of sectors based on their criticality for the economy and society. It will also bring into a force a new size cap to bring all medium and large companies within NIS2's remit. It does however also bring flexibility for Member States to bring smaller companies within scope where there is justification for doing so.
The proposal aims to strengthen security requirements for companies caught by imposing a risk management approach providing a minimum list of basic security elements that have to be applied. The proposal also introduces more precise provisions on the process for incident reporting, content of the reports and timelines.
In addition, the Commission proposes addressing security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships.
Member States, in cooperation with the Commission and European Union Agency for Cybersecurity, will also be required to carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.
Timeline
The EC is committed to implementing the new Cybersecurity Strategy in the coming months. NIS2 is not yet finalised, however once agreed, Member States will have 18 months transpose it into national law. The Commission will have to periodically review it and report for the first time on the review 54 months after entry into force.
CERD
The proposal for CERD is intended to expand the scope and depth of the 2008 European Critical Infrastructure Directive. It will extend to cover the energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space sectors.
Member States will be required to adopt a national strategy for ensuring the resilience of critical entities and carry out risk assessments. The assessments will also help identify a smaller subset of critical entities which will be subject to risk mitigation requirements for non-cyber risks.
The Commission will provide support to Member States and critical entities through a range of measures, including providing training and best practice guidelines.
UK NIS Regulations
Overview
In the UK, NISD was transposed into UK law by the NIS Regulations.
The Regulations apply to Operators of Essential Services (OESs) in the transport, energy, water, health, and digital infrastructure sectors as well as to relevant Digital Service Providers (RDSPs). The Regulations specify that – if falling within the designation thresholds – an OES or RDSP must:
- Take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services, both by managing risk and by minimising impact of any disruption.
- Notify their competent authority about any incident which has an adverse effect on the security of the network and information systems used to provide their four essential services, according to criteria set out in incident reporting thresholds.
The existing version of the NIS Regulations was amended to account for Brexit and took effect from 1 January 2021. During 2020, the UK government ran a consultation and proposed further amendments to the Regulations.
Key proposed changes
The consultation responses suggested a need to ensure that UK authorities have an effective cost recovery mechanism in place and that both OESs/RDSPs and competent authorities can make use of a robust but simplified system for appeals. To drive change, a more effective enforcement regime is needed, which might be achieved by refining the current provisions around notices, penalties, and thresholds.
The consultation responses also raise the possibility of amending incident thresholds and ensuring designation thresholds are fit for purpose.
An overarching view was that the NIS Regulations must remain flexible. To this end, it seems likely any revisions will include measures to allow for change and go beyond the limitations of NISD where necessary.
Like the Commission, the UK also sees the need to work to reduce risks around insecure supply chains – the UK government is considering further intervention in this area.
While there is some cross over between the EU and UK proposals, we will need to wait and see whether the UK's eventual changes are in line with the EU's.
Timeline
It is unclear which recommendations from the consultation will be taken forward and how soon the proposed amendments to the UK's NIS Regulations will come into force.
UK Telecommunications (Security) Bill
Overview
The government published the Telecommunications (Security) Bill in November 2020. The Bill seeks to introduce a new regulatory framework for telecommunications security in the UK. The Bill would place stronger security-related duties and responsibilities on telecoms companies and would grant Ofcom, the UK’s communications regulator, new enforcement powers.
The government recently published the Draft Electronic Communications (Security Measures) Regulations, setting out the draft regulations it aims to publish under the Telecommunications Bill. These illustrate how the powers of the Telecommunications Bill may be used and support early engagement with providers.
Key changes
The Telecommunications Bill focuses on creating certainty regarding the UK's policy towards 'high risk vendors' (HRVs), with a view to ultimately removing them from the UK's telecoms network and diversifying the 5G supply chain. The Telecommunications Bill will allow the government to issue specific security requirements in secondary legislation. In addition, new codes of practice will provide further compliance guidance.
In particular, the Telecommunications Bill creates new legal duties on telecoms firms to increase security of the UK network as well as new powers for the government to remove high risk vendors such as Huawei. It will introduce new responsibilities for Ofcom to monitor telecoms operators, in addition to increasing potential fines to up to 10 percent of turnover or £100,000 per day for failing to meet standards.
These proposals are evidence of a clamping down on the telecommunications sector and show telecommunications providers that legislators and regulators are taking cybersecurity seriously. They need to ensure they comply with the current regime in order to be best prepared for incoming changes.
Timeline
The Telecommunications Bill has been published in final form and is expected to come into force in the first half of 2021, though a date has yet to be set.
What does this mean?
Both the EU and UK are taking steps to bolster network infrastructure and communications security, particularly in relation to critical sectors. Whether cyber vulnerability is exploited by malicious actors or breaches happen by accident, robust but flexible systems and practices are seen as essential.