Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law Analysis 2 min. read

Expect a quiet start to the UK's new network and information security regime

15 May 2018, 9:57 am

ANALYSIS: Organisations operating critical national infrastructure in the UK are subject to new cybersecurity laws, but should not fear large financial penalties so long as they are taking active steps towards compliance.

The Network and Information Systems (NIS) Regulations 2018 came into force on 10 May and implement the EU's NIS Directive, which was finalised in 2016.

While the introduction of the NIS Regulations has been overshadowed to an extent by the attention that has been given to the General Data Protection Regulation (GDPR) – itself applicable from 25 May – the NIS rules will apply to many organisations in sectors such as banking, energy, health and transport.

The severe financial penalties that can be issued for non-compliance, though, mean the NIS regime cannot be overlooked. However, the UK government has offered words of reassurance to organisations subject to the rules about what to expect in terms of enforcement.

The NIS regime

The NIS rules are a response to the increase in cyber risks and are designed to ensure critical systems in sectors such as like banking, energy, health, transport and water are operated securely. It applies to operators of such 'essential services' and to online marketplaces, online search engines and cloud computing service providers, which are together classed as 'digital service providers' under the regime.

Both operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules and to notify security incidents to "competent authorities" when they occur. 

In the UK there is no single competent authority – instead, a number of government ministers and departments, and regulators such as Ofcom and the Information Commissioner's Office (ICO) are tasked with overseeing compliance across the various sectors in which the rules apply.

While digital service providers are directly subject to the new rules, with the exception of micro and small businesses, the NIS Regulations give UK authorities the power to designate which organisations are to be classed as 'operators of essential services' and in scope of the new laws. Criteria and thresholds are set out in the Directive to inform the selection process, and the UK, like other EU member states, has until 9 November to complete the designation process.

The NIS Regulations provide the competent authorities with powers to issue significant financial penalties to organisations that breach the rules. A tiered system of penalties is provided for in the regulations, which caps the fine that organisations could be served with for particular breaches of the rules. In the most serious cases, where authorities determine that an incident has caused or could cause "an immediate threat to life or significant adverse impact on the United Kingdom economy" a fine of up to £17m could be imposed.

A slow start anticipated

Helpfully, the Department for Digital, Culture, Media and Sport (DCMS) has urged the competent authorities to take a cautious approach to enforcement, at least for the first year, and to give organisations subject to the new laws enough time to reach the appropriate levels of security requirements.  

Indeed, DCMS stated that the issuing of fines under the NIS regime "would be a last resort" and that operators found to have "assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack" will avoid a fine altogether.

In addition, organisations subject to the NIS rules do not face the growing cyber threat alone. The NIS Regulations specifically provide a role for UK intelligence agency GCHQ, and in particular the National Cyber Security Centre, to monitor security incidents, issue risk warnings and share best practices.

Operators of essential services, and organisations unsure of their status but that think they might be designated as such, are encouraged to enter into a dialogue and act cooperatively with the competent authority in their sector. The operators should work with those authorities to understand their security obligations and how to meet them and further put in place a cyber incident response plan they can act on should a breach occur.

David McIlwaine is an expert in technology risk at Pinsent Masons, the law firm behind Out-Law.com.

Written by

McIlwaine David

David McIlwaine

Partner

+ 44 (0) 20 7490 6224
View Profile

Latest News

UK minded to introduce umbrella company statutory due diligence requirement

Rising opportunities for agrivoltaic energy projects under France’s regulatory strategy

Financial firms should plan ahead as Irish regulator publishes final SEAR regulations

CMA outlines initial concerns involving AI foundation models

Construction projects: contractual and non-contractual acceleration

You might also like

Out-Law Guide

VAT treatment of UK termination and compensation payments

Broadly, subject to a few limited exceptions, since April 2022, where VAT is payable on a supply, other payments that are required to be made to that supplier under the same contract, such as early termination fees, are subject to VAT.

Tax disputes & investigations

Out-Law Guide

Lease arrears: options for landlords in Scotland

Commercial landlords in Scotland have a number of options available to them to deal with increasing levels of arrears.

Property Dispute Resolution

Out-Law News

HSE statistics reveal surge in UK work-related illness

New statistics on occupational health and safety in the UK will be “disappointing” for the Health and Safety Executive (HSE), according to one legal expert.

Health & safety

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.