Out-Law News 3 min. read

UK finalises plans to implement new cybersecurity laws

Organisations that breach new UK cybersecurity laws could be fined more than once by different regulators in relation to the same security breach, the UK government has admitted.

The Department for Digital, Culture, Media and Sport (DCMS) made the admission in a paper setting out its plans to implement the EU's Network and Information Security (NIS) Directive into UK law (35-page / 286KB PDF).

The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like energy, health and transport are secure. It applies to operators of such 'essential services', as defined by each EU member state. Slightly different rules also apply to 'digital service providers'. EU countries have until 9 May 2018 to implement the Directive into national laws.

DCMS' paper constituted the government's response to industry feedback to a consultation it ran last year on proposed implementation of the Directive. In it, the department confirmed the criteria which will define whether organisations across the sectors covered by the rules will be considered 'operators of essential services' and subject to the requirements of the new laws. The criteria for determining which organisations qualify as 'digital service providers' is set out in the NIS Directive itself.

DCMS also confirmed that operators of essential services that breach the security requirements will face fines of up to £17 million. However, it dropped plans that would have exposed organisations in breach to potential fines totalling a percentage of their global annual turnover.

According to the department, fines will only be served as a "last resort" and will not be issued where operators of essential services "have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack".

Despite this, DCMS acknowledged the possibility that operators of essential services that breach the UK's NIS rules could also be found in breach of other legislation and did not rule out that operators could be issued with more than one fine by different regulators in relation to the same underlying security breach.

"The government understands the perceived concern over double jeopardy, in particular in relation to the General Data Protection Regime (GDPR)," DCMS said. "The government agrees that operators and digital service providers should not be tried for the same offence twice, but notes that there may be reason for them to be penalised under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts. This will apply not just to GDPR but other sectoral and national legislation such as safety legislation or service commitments."

"The government does not believe that ‘double jeopardy’ can be completely removed, without undermining either the NIS regulations or other UK legislation. However, in order to take these considerations into account, the NIS regulations will include text which will encourage competent authorities to work with regulators in the event of different regimes applying to determine what approach to take. This will not limit a competent authority’s ability to apply the penalty it feels is appropriate to the circumstances, but will encourage it to factor in other regimes if this is appropriate," it said.

Under the new UK regime, different 'competent authorities' will have responsibility for monitoring compliance and enforcement depending on which sector organisations subject to the rules operate.

Government ministers for energy, health and transport, for example, will act as competent authorities, as will industry regulators Ofgem and Ofcom and data protection watchdog the Information Commissioner's Office (ICO).

The National Cyber Security Centre (NCSC) has set out guidance for operators of essential services on the type of security measures they should deploy.

Margot James, UK minister for digital, said: "We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security."

Last summer, the UK government said that it would take advantage of a carve out in the NIS Directive to exempt firms operating in banking and financial markets infrastructure from the UK's NIS rules.

According to the NIS Directive, if there are already "Union legal acts" that set out sector-specific requirements regarding the security of firms' network and information systems or the notification of cybersecurity incidents then those provisions should apply so long as the requirements "are at least equivalent in effect" to the obligations set out in the Directive.

The government said that "provisions at least equivalent to those specified in the Directive will already exist by the time the Directive comes into force" in the context of cybersecurity obligations and notification duties in the banking and financial market infrastructure sectors. It said that firms in those sectors "must continue to adhere to requirements and standards as set by the Bank of England and/or the Financial Conduct Authority".

In August 2017, the government confirmed to Out-Law.com that it planned to update UK legislation to codify reporting requirements for central counterparties (CCPs) as part of a move to ensure equivalence of regulation with the NIS Directive.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.