Out-Law / Your Daily Need-To-Know

Expect a quiet start to the UK's new network and information security regime

Out-Law Analysis | 15 May 2018 | 9:57 am | 2 min. read

ANALYSIS: Organisations operating critical national infrastructure in the UK are subject to new cybersecurity laws, but should not fear large financial penalties so long as they are taking active steps towards compliance.

The Network and Information Systems (NIS) Regulations 2018 came into force on 10 May and implement the EU's NIS Directive, which was finalised in 2016.

While the introduction of the NIS Regulations has been overshadowed to an extent by the attention that has been given to the General Data Protection Regulation (GDPR) – itself applicable from 25 May – the NIS rules will apply to many organisations in sectors such as banking, energy, health and transport.

The severe financial penalties that can be issued for non-compliance, though, mean the NIS regime cannot be overlooked. However, the UK government has offered words of reassurance to organisations subject to the rules about what to expect in terms of enforcement.

The NIS regime

The NIS rules are a response to the increase in cyber risks and are designed to ensure critical systems in sectors such as like banking, energy, health, transport and water are operated securely. It applies to operators of such 'essential services' and to online marketplaces, online search engines and cloud computing service providers, which are together classed as 'digital service providers' under the regime.

Both operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules and to notify security incidents to "competent authorities" when they occur. 

In the UK there is no single competent authority – instead, a number of government ministers and departments, and regulators such as Ofcom and the Information Commissioner's Office (ICO) are tasked with overseeing compliance across the various sectors in which the rules apply.

While digital service providers are directly subject to the new rules, with the exception of micro and small businesses, the NIS Regulations give UK authorities the power to designate which organisations are to be classed as 'operators of essential services' and in scope of the new laws. Criteria and thresholds are set out in the Directive to inform the selection process, and the UK, like other EU member states, has until 9 November to complete the designation process.

The NIS Regulations provide the competent authorities with powers to issue significant financial penalties to organisations that breach the rules. A tiered system of penalties is provided for in the regulations, which caps the fine that organisations could be served with for particular breaches of the rules. In the most serious cases, where authorities determine that an incident has caused or could cause "an immediate threat to life or significant adverse impact on the United Kingdom economy" a fine of up to £17m could be imposed.

A slow start anticipated

Helpfully, the Department for Digital, Culture, Media and Sport (DCMS) has urged the competent authorities to take a cautious approach to enforcement, at least for the first year, and to give organisations subject to the new laws enough time to reach the appropriate levels of security requirements.  

Indeed, DCMS stated that the issuing of fines under the NIS regime "would be a last resort" and that operators found to have "assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack" will avoid a fine altogether.

In addition, organisations subject to the NIS rules do not face the growing cyber threat alone. The NIS Regulations specifically provide a role for UK intelligence agency GCHQ, and in particular the National Cyber Security Centre, to monitor security incidents, issue risk warnings and share best practices.

Operators of essential services, and organisations unsure of their status but that think they might be designated as such, are encouraged to enter into a dialogue and act cooperatively with the competent authority in their sector. The operators should work with those authorities to understand their security obligations and how to meet them and further put in place a cyber incident response plan they can act on should a breach occur.

David McIlwaine is an expert in technology risk at Pinsent Masons, the law firm behind Out-Law.com.