The global WannaCry hacking attack that affected computers in 150 countries and brought down services in the NHS last year, demonstrated how vulnerable institutions in the UK can be to cyber attacks. Cyber security has been in the spotlight consistently ever since, and solutions are being sought by private and public organisations to avoid similar incidents.
The EU recognises the huge scope of problems associated with cyber attacks and the potential detrimental implications on member states’ economies and infrastructure. As a result, the EU aims to raise security levels of network and information systems across the EU with the Directive on the security of Networks and Information Systems, known as the NIS Directive. The NIS Directive demands that Member States implement:
- A National Framework that manages cyber security incidents and includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS Competent Authority (CA)
- A Cooperation Group amongst Member States to facilitate the exchange of information and participation in a CSIRT Network
- Identification of ‘Operators of Essential Services’ (OES) which have to be able to take appropriate measures and notify national authorities
The Directive will be implemented in the UK on 9 May 2018 shortly before the implementation of the highly anticipated General Data Protection Regulation (GDPR) on 25 May 2018, and applies to any organisation that is deemed to be an OES or CA. OES include the energy sector (electricity, oil and gas providers), transport (air, rail, water and road), water suppliers and distributors, healthcare providers, banking (credit institutions) and financial market infrastructure. They also include providers of digital infrastructure such as domain name systems service providers and domain name registries.
Following a public consultation by the UK Government in 2017, the National Cyber Security Centre (NCSC) has now published guidelines as to the implementation of the NIS Directive, which operators in these essential sectors should study carefully. The NCSC defined a set of cyber security principles with best practice that OES are expected to follow. The guidelines provide details as to why the principles are important and how they can improve national cyber security. Each principle has its own set of guidance, and lists factors that OES need to consider in order to comply with the principles and achieve the outcomes. OES are expected to understand these principles and ensure they are applied in the context of their organisations. In order to do so, OES are advised to compare the outcomes of the principles to their organisations’ current standards and practises and identify shortcomings and associated risks. OES are expected to update their practises in line with the NCSC guidelines to ensure a high standard of cyber security and compliance with the NIS.
The NCSC itself takes on the role as the single point of contact for EU partners on NIS and will coordinate exchange of relevant information and action. It also takes on the role of the Computer Security Incident Response Team (CSIRT). However, the NCSC will not carry out regulatory responsibilities, as these will be supervised by the new Competent Authorities. The NCSC continues to act as an impartial expert and provides OES with cyber security advice and support.
Businesses preparing for the new data protection regime created by GDPR should take the opportunity to carefully consider whether the Directive applies to them. Organisations that fall under the definition of an OES should take the requirements in the NIS Directive very seriously and boost their cyber security, as failure to comply can result in fines up to £17m. OES which suffered an attack will not be fined if they assessed their cyber security risks adequately, took measures to remedy any shortfalls and cooperated with their relevant regulators.
If this article raises any concerns, please get in touch. We can advise on any aspect of cyber security and compliance with the NIS Directive and the GDPR data protection legislation. Please contact Robert Ganpatsingh on 01273 744213 or email Robert.Ganpatsingh@dmhstallard.com.
Written by Beatrice Bass.