Proposed changes provide indication of the yet-to-be-published contents of the NIS Directive’s implementing regulation.
The UK government moved closer to implementing the Security of Network and Information Systems Directive (NIS Directive) with the release of its consultation response.
The NIS Directive is the first EU-wide legislation on cybersecurity that aims to enhance network and information system security across vital business sectors within the EU. The UK government launched a public consultation in autumn 2017 to obtain feedback on its proposed approach to implementation. Although the consultation response indicated broad support for the proposals, the UK government has proposed changes to address certain areas of concern. The consultation response, which was released on 28 January 2018, focuses on the following topics.
GDPR: Double Jeopardy
Given the inevitable overlap of issues between the NIS Directive and the General Data Protection Regulation (GDPR), the Government confirmed its intention to have the two work in harmony so far as possible. This includes: (i) confirmation that the timescale for incident notification would be “undue delay and no later than 72 hours”; and (ii) responding to the concerns that organisations could be fined twice for the same incident.
While acknowledging the concerns around double jeopardy, the government indicated that there could be valid reasons to penalise an organisation twice for the same incident if the penalties related to different aspects of the wrongdoing. To ensure a coordinated approach, the implementing legislation will encourage Competent Authorities to work with other regulators, such as the UK Information Commissioner’s Office (ICO), in the event that both regimes apply to the same event. The government did concede to concerns over the potential quantum of fines, however, by moving away from a percentage of the global turnover as a penalty regime. Instead, the government will set the upper limit for penalties for the most severe cases at £17 million.
Operators of Essential Services
The government clarified the region-specific and other thresholds required to identify operators of essential services (OES) and confirmed that Competent Authorities should be reaching out to their OES to assist with compliance. In addition, the government clarified that each Competent Authority will have the power to designate OES, investigate the causes of an incident, notify the public about an incident, and either audit or require the audit of an OES or DSP.
National Cyber Security Council
The government also clarified that the National Cyber Security Council (NCSC) will have no regulatory or enforcement role in implementing the NIS Directive. NCSC’s responsibilities will be limited to providing support, expert advice, and incident response assistance, as well as developing cybersecurity standards and guidance, such as NCSC’s guidance on compliance with the NIS Directive Directive (additional information on this guidance is available in this blog post). NCSC will also undertake the advisory role of the Computer Security Incident Response Team (CSIRT).
Digital Service Providers
The government rejected requests to exclude all SaaS providers from the definition of digital service providers (DSPs), and provided further guidance on who else would be regulated as a DSP. Regulated parties will include:
- Online marketplaces: Any platform serving as an intermediary between buyers and sellers facilitating the sale of goods and services will be a DSP. The government broadly defined online marketplaces, but specifically excluded price comparison sites, classified advert sites, and online retailers.
- Online search engines: Where search engine providers are powered by another engine, then the underlying search engine will be a DSP; however, internal organisation engines that do not facilitate external searches of the internet will not be DSPs.
- Cloud computing services: IaaS, PaaS, and SaaS (if the SaaS resources available to the customer are changeable in an elastic/scalable way) will be DSPs. The narrower definition of SaaS DSPs would likely exclude most online gaming, entertainment, or VoIP services, but may capture email or online storage providers.
Further clarity for DSPs followed the consultation response in the form of the Commission Implementing Regulation (EU) 2018/151 (Implementing Regulation). The Implementing Regulation, published on 30 January 2018, provides more detail on how the NIS Directive will apply to DSPs. In particular, it sets out an indicative/non-exhaustive list of characteristics whereby the presence of at least one would indicate a “substantial incident”:
- The service is unavailable for more than 5 million user hours.
- The service affects more than 100,000 users across the EU.
- The loss of service creates a risk to public safety.
- The damage from the incident causes material damage to one user in the EU exceeding €1 million.
A DSP must report a substantial incident to its relevant CSIRT “without undue delay” and in a way that allows the CSIRT to determine the significance of any cross-border impact.
One of the clear messages from the Government paper is that we can expect further guidance before May 2018. The paper specifically references additional guidance in the following areas:
- Competent Authorities – guidance will be published clarifying the role and responsibilities of the Competent Authorities.
- Incident Reporting – while the paper lists some of the factors to be considered in determining the criticality of an incident (g.number of users, duration, and dependency of other sectors), it also confirmed that reporting thresholds would be published before May 2018.
The response also assured organisations that they will have a window of time for implementing the NIS Directive (which the UK must implement by May 2018). According to the response, policy provisions will continue to apply in the UK after its exit from the EU.