The Network and Information Systems Directive: An overview and consideration of the UK Implementation Consultation
At the launch of the UK's Cyber Security Strategy Phillip Hammond proclaimed "tech is the future of the economy". In 2016, the same year of that proclamation there was an estimated two million computer misuse offences recorded[1]. Importantly, efforts to improve cybersecurity have taken centre stage at both a national and EU level with the introduction of the Network and Information Systems Directive (the "NIS Directive") - the first piece of EU-wide legislation on cybersecurity – having entered into force in August 2016. Incidents in 2017 such as the WannaCry ransomware attack, the Channel 4 hack and the Equifax cyberattack highlight the potential of cyberattacks to impact on all manner of societal activities and serve to remind of the importance of the aforementioned cybersecurity initiatives.
Overview of the NIS Directive
The objective of the NIS Directive is to achieve a high common level of network and information systems security within the EU. It is envisaged that the following measures will aid in increasing cooperation and information exchange between Member States:
- introducing an obligation on Member States to adopt a national strategy;
- designating national competent authorities;
- introducing a computer security incident response teams network; and
- introducing security measures and incident reporting obligations for operators of essential services and digital service providers.
Broadly, the NIS Directive applies to:
- operators of essential services established in the EU; and
- digital service providers that offer services to persons within the EU.
Article 14 of the NIS Directive outlines that those organisations to which the directive applies must take "appropriate and proportionate technical and organisational measures" to ensure the security of their systems. No further guidance is given as to what such appropriate or proportionate steps would be.
UK implementation of the NIS Directive
The UK Government launched a consultation on how best to implement the NIS Directive in August 2017. The key proposals, as well as areas on which input was sought, are set out below.
- The EU's definition of an operator of essential services is broad and as such the UK Government has proposed additional identification thresholds with the aim of capturing only the most important operators within each sector. There is however a proposal to reserve the power to designate specific operators who fall outside these thresholds, which could create potential uncertainty as to the scope of the directive.
- The UK Government also proposes to nominate multiple sector-based competent authorities as opposed to one national competent authority as contemplated in the NIS Directive. Having a number of authorities with a detailed understanding of the individual sectors and their associated challenges who are encouraged to communicate and cooperate with one another is seen as a more resilient approach.
- The UK Government intends to adopt a guidance and principles based approach to assist in ensuring those to which the NIS Directive applies are aware of the "appropriate and proportionate technical and organisational measures" they must adhere to. The Government has set out its "High Level Security Principles" within the consultation and it is intended that such principles will be developed and expanded upon over time, as knowledge of threats posed increases.
- Member States are required to impose their own "effective, proportionate and dissuasive" rules on financial penalties to be imposed for infringements of the national provisions adopted pursuant to the NIS Directive. The UK Government has proposed two variants of fine:
- Band one – lesser offences, such as failure to cooperate with a competent authority, would fall within this band. Fines would be set at a maximum €10m or 2% of global turnover (whichever is greater); and
- Band two – covers the more serious offence of failure to implement appropriate and proportionate security measures and fines would be set at a maximum €20m or 4% global turnover (whichever is greater).
Looking ahead
It is anticipated that a full report incorporating the responses from the consultation will be published at the beginning of December 2017. The report should outline in greater detail some of the key concerns of industry professionals and regulators and may lead to a revision of certain aspects of the national provisions. The NIS Directive must be transposed into national law by member states prior to 9 May 2018 so the onus is on the UK Government to confirm the approach - whether that be the approach that is set out at present or a revised approach following the results of the consultation - and begin implementation. Finally, in contemplation of the UK's changing relationship with the EU the Government has been quick to confirm it supports the overall aim of the NIS Directive and as such the above mentioned legislation is not something that will be overlooked in the post-Brexit landscape.
For further detailed information see the Security of Network and Information Systems Public Consultation (published August 2017).
[1] Office for National Statistics figures.
This article was written by Rachel Bell. For more information, please contact Rachel on +44(0)20 7427 6573 or at rachel.bell@crsblaw.com.
Our thinking
Grégoire Uldry
New Swiss succession law on the transfer of businesses
On 10 June 2022, the Federal Council adopted its Message amending the Civil Code on the transfer of businesses by succession.
Joshua Green
Joshua Green writes for Spear's Magazine on Wagatha Christie’s lessons for HNWs
Wagatha Christie’s lessons for HNWs
Stephanie Bonnello
Stephanie Bonnello writes for the Practical Law Dispute Resolution blog on witness evidence
When are witness summaries permitted instead of witness statements and when should material be struck out from a witness statement?
Emma Humphreys
Emma Humphreys and Paul McCarthy write for Property Week on the new landlord digital ID checks
Emma Humphreys and Paul McCarthy write for Property Week on new landlord digital ID checks
Louise Paterson
Artnet quotes Louise Paterson on the Ivory Act
UK’s Ivory Act comes into force
Nick Hawkins
Nick Hawkins writes for Employment Law Journal on demystifying employment contracts
Key considerations for drafting effective post- termination restrictions
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.
Simon Green
International Bar Association quotes Simon Green on the future of the legal sector in Hong Kong
International Bar Association quote Simon Green on the future of Hong Kong's legal sector
Charlotte Duly
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Keir Gordon
Charles Russell Speechlys celebrates this year’s Sports Technology Awards finalists
The Sports Technology Awards celebrates tech-led innovation in sports, globally.
Mark Hill
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Caroline Greenwell
Nowhere to hide for greenwashing brands
In the UK, regulators are cracking down, with many companies now at risk of financial and other penalties.
Jamie Cartwright
Weighing up the Plastic Packaging Tax
The Plastic Packaging Tax came into force on 1 April 2022.
Jamie Cartwright
Crunching numbers - Mandatory calorie laws come into force
The Calorie Labelling (Out of Home Sector) (England) Regulations 2021 (the Regulations) are now in force.
Mark Hill
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win