UK cyber rules exemption for banks under EU scrutiny

Out-Law News | 04 Nov 2019 | 3:22 pm | 3 min. read

The UK government's decision to exempt banks from EU cybersecurity and incident reporting requirements is under scrutiny.

In a recent report, the European Commission suggested some EU countries may have incorrectly extended exemptions from the requirements, which are set out in the EU's Network and Information Security (NIS) Directive, to some businesses.

The Commission specifically referenced the use of exemptions in relation to banking and financial markets infrastructure in its report. The UK is among the countries to have utilised exemptions in those sub-sectors.

The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. Organisations classed as operators of such 'essential services' are subject to requirements to keep their networks and information secure and must also "notify … incidents having a significant impact on the continuity of the essential services they provide" to "competent authorities".

It is up to each EU member state to determine which organisations are classed as operators of essential services for the purposes of the NIS rules. The Directive sets out criteria to inform those assessments.

The Directive provides scope to exempt organisations that would be classed as operators of essential services from the NIS rules in cases where they are already subject to sector-specific rules addressing the security of network and information systems or incident notification which are "at least equivalent in effect" to the NIS Directive requirements. This is known as the lex specialis principle.

In implementing the NIS Directive, the UK elected not to identify any operators of essential services in the banking and financial market infrastructure sub-sectors. It said at the time that it was able to do so because there would be sectoral rules on cybersecurity and incident reporting that the firms within those sub-sectors would be subject to by the time the NIS rules took effect.

In its report, however, the Commission bemoaned the "inconsistency" in the way exemptions had been applied under the NIS Directive. It confirmed that, unlike the UK, most EU countries have identified operators of essential services in the sub-sectors of banking and financial markets. It said it is reviewing whether the exemptions that have been applied are justified.

"The Commission is still in the process of gathering detailed information about the application of the lex specialis principle under the NIS Directive," the Commission said. "It is currently conducting in-depth checks of the national legislation and country visits in order to assess the current level of transposition and implementation, including regarding the lex specialis provisions."

The Commission said it plans to "discuss cases where the application of the lex specialis principle may not be correct" with government officials from EU countries. In those discussions it will seek "better alignment" across the trading bloc, it said.

Cyber risk expert Stuart Davey of Pinsent Masons, the law firm behind Out-Law, said: "The Commission's report has highlighted the variation across jurisdictions in the way the NIS regime has been applied. A factor in this will be the fact that the NIS rules are set out in an EU Directive and not a Regulation and are therefore not directly effective – this opened up the possibility for different approaches during implementation. However, this could lead to greater challenges in assessing an organisation's regulatory requirements if the NIS regime has been implemented differently across the EU. This is particularly true in sub-sectors where operators of essential services have multi-jurisdictional reach, such as in financial services."

"To-date the NIS regime has largely fallen under the radar. It was overshadowed at its time of introduction into law by the GDPR, and there has not subsequently been a major enforcement case to trigger publicity. However, it is likely that the NIS regime will become increasingly important once regulators get to grips with it. The Commission's scrutiny of the UK exemption in banking will pique industry interest in the mean time, but the continued uncertainty over Brexit and the make-up of the next UK government make it difficult to predict what action will follow if the UK's approach to date attracts further censure," he said.

In addition to setting out rules for operators of essential services, the NIS Directive applies a lighter touch regime on cybersecurity to 'digital service providers' (DSPs). The Directive defines DSPs as being online marketplaces, online search engines or cloud computing service providers that normally provide their service "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".

The EU Agency for Network and Information Security (ENISA) has issued guidance for digital service providers on their incident notification obligations under the NIS Directive.