The Network and Information Systems Directive: An overview and consideration of the UK Implementation Consultation
At the launch of the UK's Cyber Security Strategy Phillip Hammond proclaimed "tech is the future of the economy". In 2016, the same year of that proclamation there was an estimated two million computer misuse offences recorded. Importantly, efforts to improve cybersecurity have taken centre stage at both a national and EU level with the introduction of the Network and Information Systems Directive (the "NIS Directive") - the first piece of EU-wide legislation on cybersecurity – having entered into force in August 2016. Incidents in 2017 such as the WannaCry ransomware attack, the Channel 4 hack and the Equifax cyberattack highlight the potential of cyberattacks to impact on all manner of societal activities and serve to remind of the importance of the aforementioned cybersecurity initiatives.
Overview of the NIS Directive
The objective of the NIS Directive is to achieve a high common level of network and information systems security within the EU. It is envisaged that the following measures will aid in increasing cooperation and information exchange between Member States:
- introducing an obligation on Member States to adopt a national strategy;
- designating national competent authorities;
- introducing a computer security incident response teams network; and
- introducing security measures and incident reporting obligations for operators of essential services and digital service providers.
Broadly, the NIS Directive applies to:
- operators of essential services established in the EU; and
- digital service providers that offer services to persons within the EU.
Article 14 of the NIS Directive outlines that those organisations to which the directive applies must take "appropriate and proportionate technical and organisational measures" to ensure the security of their systems. No further guidance is given as to what such appropriate or proportionate steps would be.
UK implementation of the NIS Directive
The UK Government launched a consultation on how best to implement the NIS Directive in August 2017. The key proposals, as well as areas on which input was sought, are set out below.
- The EU's definition of an operator of essential services is broad and as such the UK Government has proposed additional identification thresholds with the aim of capturing only the most important operators within each sector. There is however a proposal to reserve the power to designate specific operators who fall outside these thresholds, which could create potential uncertainty as to the scope of the directive.
- The UK Government also proposes to nominate multiple sector-based competent authorities as opposed to one national competent authority as contemplated in the NIS Directive. Having a number of authorities with a detailed understanding of the individual sectors and their associated challenges who are encouraged to communicate and cooperate with one another is seen as a more resilient approach.
- The UK Government intends to adopt a guidance and principles based approach to assist in ensuring those to which the NIS Directive applies are aware of the "appropriate and proportionate technical and organisational measures" they must adhere to. The Government has set out its "High Level Security Principles" within the consultation and it is intended that such principles will be developed and expanded upon over time, as knowledge of threats posed increases.
- Member States are required to impose their own "effective, proportionate and dissuasive" rules on financial penalties to be imposed for infringements of the national provisions adopted pursuant to the NIS Directive. The UK Government has proposed two variants of fine:
- Band one – lesser offences, such as failure to cooperate with a competent authority, would fall within this band. Fines would be set at a maximum €10m or 2% of global turnover (whichever is greater); and
- Band two – covers the more serious offence of failure to implement appropriate and proportionate security measures and fines would be set at a maximum €20m or 4% global turnover (whichever is greater).
It is anticipated that a full report incorporating the responses from the consultation will be published at the beginning of December 2017. The report should outline in greater detail some of the key concerns of industry professionals and regulators and may lead to a revision of certain aspects of the national provisions. The NIS Directive must be transposed into national law by member states prior to 9 May 2018 so the onus is on the UK Government to confirm the approach - whether that be the approach that is set out at present or a revised approach following the results of the consultation - and begin implementation. Finally, in contemplation of the UK's changing relationship with the EU the Government has been quick to confirm it supports the overall aim of the NIS Directive and as such the above mentioned legislation is not something that will be overlooked in the post-Brexit landscape.
For further detailed information see the Security of Network and Information Systems Public Consultation (published August 2017).
 Office for National Statistics figures.
This article was written by Rachel Bell. For more information, please contact Rachel on +44(0)20 7427 6573 or at email@example.com.
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Charles Russell Speechlys advises Appital Ltd on £2.5m Investment led by Frontline Ventures
Appital is an Equity Capital Marketplace which aims to bring innovation to Equity Capital Markets.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Charles Russell Speechlys advises Metier on US$39m investment into Africa Mobile Networks
AMN builds, owns, operates and maintains mobile network infrastructure in Africa.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
The regulation of big tech: a changing tide?
Sonia takes a look at the two main areas where the UK is increasing the regulation of Big Tech in 2021
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Top 7 Data Protection Tips for Employers
Here are our top 7 data protection tips for employers.
There has been an increase in online phising attacks over the past year - but why?