The Network and Information Systems Directive: An overview and consideration of the UK Implementation Consultation

At the launch of the UK's Cyber Security Strategy Phillip Hammond proclaimed "tech is the future of the economy". In 2016, the same year of that proclamation there was an estimated two million computer misuse offences recorded[1]. Importantly, efforts to improve cybersecurity have taken centre stage at both a national and EU level with the introduction of the Network and Information Systems Directive (the "NIS Directive") - the first piece of EU-wide legislation on cybersecurity – having entered into force in August 2016. Incidents in 2017 such as the WannaCry ransomware attack, the Channel 4 hack and the Equifax cyberattack highlight the potential of cyberattacks to impact on all manner of societal activities and serve to remind of the importance of the aforementioned cybersecurity initiatives.

Overview of the NIS Directive

The objective of the NIS Directive is to achieve a high common level of network and information systems security within the EU. It is envisaged that the following measures will aid in increasing cooperation and information exchange between Member States:

• introducing an obligation on Member States to adopt a national strategy;
• designating national competent authorities;
• introducing a computer security incident response teams network; and
• introducing security measures and incident reporting obligations for operators of essential services and digital service providers.

Broadly, the NIS Directive applies to:

• operators of essential services established in the EU; and
• digital service providers that offer services to persons within the EU.

Article 14 of the NIS Directive outlines that those organisations to which the directive applies must take "appropriate and proportionate technical and organisational measures" to ensure the security of their systems. No further guidance is given as to what such appropriate or proportionate steps would be.

UK implementation of the NIS Directive

The UK Government launched a consultation on how best to implement the NIS Directive in August 2017. The key proposals, as well as areas on which input was sought, are set out below.

1. The EU's definition of an operator of essential services is broad and as such the UK Government has proposed additional identification thresholds with the aim of capturing only the most important operators within each sector. There is however a proposal to reserve the power to designate specific operators who fall outside these thresholds, which could create potential uncertainty as to the scope of the directive.
2. The UK Government also proposes to nominate multiple sector-based competent authorities as opposed to one national competent authority as contemplated in the NIS Directive. Having a number of authorities with a detailed understanding of the individual sectors and their associated challenges who are encouraged to communicate and cooperate with one another is seen as a more resilient approach.
3. The UK Government intends to adopt a guidance and principles based approach to assist in ensuring those to which the NIS Directive applies are aware of the "appropriate and proportionate technical and organisational measures" they must adhere to. The Government has set out its "High Level Security Principles" within the consultation and it is intended that such principles will be developed and expanded upon over time, as knowledge of threats posed increases.
4. Member States are required to impose their own "effective, proportionate and dissuasive" rules on financial penalties to be imposed for infringements of the national provisions adopted pursuant to the NIS Directive. The UK Government has proposed two variants of fine:

• Band one – lesser offences, such as failure to cooperate with a competent authority, would fall within this band. Fines would be set at a maximum €10m or 2% of global turnover (whichever is greater); and
• Band two – covers the more serious offence of failure to implement appropriate and proportionate security measures and fines would be set at a maximum €20m or 4% global turnover (whichever is greater).

Looking ahead

It is anticipated that a full report incorporating the responses from the consultation will be published at the beginning of December 2017. The report should outline in greater detail some of the key concerns of industry professionals and regulators and may lead to a revision of certain aspects of the national provisions. The NIS Directive must be transposed into national law by member states prior to 9 May 2018 so the onus is on the UK Government to confirm the approach - whether that be the approach that is set out at present or a revised approach following the results of the consultation - and begin implementation. Finally, in contemplation of the UK's changing relationship with the EU the Government has been quick to confirm it supports the overall aim of the NIS Directive and as such the above mentioned legislation is not something that will be overlooked in the post-Brexit landscape.

For further detailed information see the Security of Network and Information Systems Public Consultation (published August 2017).

[1] Office for National Statistics figures.

This article was written by Rachel Bell. For more information, please contact Rachel on +44(0)20 7427 6573 or at rachel.bell@crsblaw.com.