The NIS Regulations – One Year On
What is the relevance for the public sector and how can compliance be ensured?
THE NIS DIRECTIVE
The Network and Information Security or the NIS Directive, also known as the Cybersecurity Directive, intends to establish a uniform level of cybersecurity for network and information systems that process ‘digital data’ for their operation, use, protection and maintenance. The NIS Directive demands these systems to be adequately protected so that they are resistant to any threats which may compromise either the data they store or services they provide. The NIS Directive also encourages cooperation between EU Member States through a network of computer security incident response teams and national single points of contact.
The NIS Directive covers cybersecurity as well as the environmental and physical aspects. It requires some operators of essential services, such as water suppliers or transport providers, to develop systems safeguarding them against cyber threats affecting IT systems such as power outages, hardware failures and environmental hazards. The NIS Directive also intends to prevent cyber breaches such as the 2017 WannaCry ransomware attack which affected, amongst others, a number of NHS Trusts in the UK, preventing doctors from accessing patient records.
IS YOUR ORGANISATION CAUGHT BY THE NIS REGULATIONS?
The Network and Information Systems Regulations 2018 (the NIS Regulations), which implemented the NIS Directive in the UK on 10 May 2018, impose obligations on both ‘operators of essential services’ (OESs) and ‘relevant digital service providers’ (RDSPs).
OESs are those organisations that operate within relevant sectors listed in Schedule 2 to the NIS Regulations, namely the energy, transport, healthcare, water supply and distribution, and digital infrastructure (domain name registries and service providers, and internet exchange points) and who are reliant on information networks. To meet the definition of an OES, a given organisation must also fulfil the threshold criteria specified for the kind of service it provides.
Many public sector organisations will be OESs for the purposes of the NIS Regulations. It is the responsibility of the OESs to identify themselves and notify their relevant “Competent Authority”: –
- For energy (electricity and gas), it is BEIS;
- For transport (air), it is the Civil Aviation Authority;
- For transport (rail, maritime, road), it is the Department for Transport;
- For the health sector, it is the Department of Health and Social Care;
- For drinking water supply and distribution, it is the Department for Environment, Food and Rural Affairs;
- For digital infrastructure, it is Ofcom.
Local government authorities may fall within the definition of an OES if they are responsible for the provision of essential services to their residents and fall within the relevant thresholds set out in Schedule 2 to the NIS Regulations, even if they rely on third parties and outsourcing mechanisms. Identifying the systems that support the services need to be carried out by local authorities as part of understanding how they can comply with the security requirements. The NIS Regulations stipulate that the Competent Authorities are empowered to nominate an organisation as an OES under regulation 8(3), even if it falls short of the threshold criteria, where a threat to its cyber security would still tangibly affect the supply of essential services and therefore have significant adverse social or economic impact. This is an important consideration that local authorities should be mindful of.
NIS Regulations also apply to RDSPs (being organisations that provide online marketplaces, online search engines, and cloud ccomputing services), albeit less rigorously. OESs, under the NIS Regulations, are subject to active monitoring by their Competent Authorities, whereas RDSPs are assessed for compliance after a cyber threat materialises and is reported. The rationale for this is that the risks that OESs face are greater – any disruptions to the services they provide would likely have more serious and widespread consequences.
THE OBLIGATIONS IMPOSED ON OESs
The NIS Regulations refrain from prescribing particular rules and instead are outcome-oriented – they focus on four objectives, from detecting cyber security threats to, if unavoidable, managing their impact. The objectives are underpinned by fourteen high-level principles relating to proper governance, system resilience, response to threats and post-incident resumption of services. The principles describe the “mandatory security outcomes to be achieved” – OESs can ensure compliance with the NIS Regulations by meeting these principles:
Objective A – Managing Security Risk
- A.1 Governance
- A.2 Risk Management
- A.3 Asset Management
- A.4 Supply Chain
Objective B – Protecting Against Cyber Attack
- B.1 Service Protection Policies and Procedures
- B.2 Identity and Access Control
- B.3 Data Security
- B.4 System Security
- B.5 Resilient Networks and Systems
- B.6 Staff Awareness and Training
Objective C – Detecting Cyber Security Events
- C.1 Security Monitoring
- C.2 Anomaly Detection
Objective D – Minimising Impact of Cyber Security Incidents
- D.1 Response and Recovery Planning
- D.2 Improvements
Regulation 10 requires OESs to take adequate technical and organisational measures to manage risks and prevent cyber security incidents likely to impact on their network and information systems on which the provision of their services relies. Regulation 11 requires OESs to report relevant security incidents, without undue delay and in any event within 72 hours, to the relevant Competent Authority.
The NIS Regulations carry no assumptions about how the above outcomes should be achieved. It is for the OESs to identify the most appropriate measures and discuss those with the relevant Competent Authority. The Competent Authorities should advise on the appropriateness of the measures proposed and give directions accordingly by reference to, for example, the Cyber Assessment Framework.
Alongside technical security measures and overall governance arrangements, OESs should, in order to ensure that their NIS obligations are met, take measures to safeguard their supply chains. This is because they will remain responsible for protecting the continuity of the essential services in their capacity as OESs, even if they rely on third parties to provide those services via outsourcing or cloud based technology services.
OESs can take steps to ensure compliance within their supply chain by using appropriate contractual arrangements, including, for example, auditing rights, upward reporting of security performance and key performance indicators. The measures adopted should take into account the state of the art and should be appropriate and proportionate to the services provided. OESs should take care to ensure that data shared with contracted suppliers is protected from unauthorised access, alteration or erasure which may impact on the provision of essential services. The products and services procured from suppliers should also have appropriate security specifications, and the third parties themselves, as well as their sub-contractors, ought to be verified as trustworthy and equipped with effective security measures. For example, the CPNI Personnel Security Maturity Model can be deployed to assess the supplier’s people security arrangements.
The OES should, where possible, avoid relying on a single supplier and recognise that different protection requirements should be demanded from different suppliers and different types of contracts, based on the particular risks associated with them. The suppliers should be provided with a clear guidance in relation to the types of contracts they can sub-contract and the procedures for obtaining prior approval from the authority. Managing security throughout the contract term should be considered as important as managing it on termination and transfer of services to another supplier. Existing contracts should be renewed with adequate frequency, providing an opportunity to reassess relevant risks. OESs should encourage their suppliers to maintain appropriate security arrangements, as this may act as an incentive for the authority to award future contracts to them.
THE GDPR AND THE NIS REGULATIONS – HOW DO THEY INTERACT?
The NIS Regulations and the GDPR, although inevitably connected, are concerned with different risks. The NIS Regulations focus on hazards to key infrastructure, network and information systems and the continuity of services, including relevant data of both personal and non-personal nature, whereas the GDPR concerns data relating to an identified or identifiable data subject, a natural person. This means that the NIS Regulations are broader in scope and apply to various incidents, not necessarily involving personal data.
There are, nevertheless, notable overlaps between the two. The organisations that the NIS Regulations are concerned with are often likely to also be data controllers or data processors for the purposes of the GDPR. The security requirements are of similar nature, however, the GDPR and the NIS Regulations adopted different criteria for ascertaining what technical and organisational measures may be thought of as adequate, with greater detail provided in the NIS Regulations.
The obligations to notify of relevant incidents are present under both the GDPR and the NIS Regulations. An OES is required, under the NIS Regulations, to report incidents likely to affect the provision of essential services and where these incidents involve personal data, the GDPR reporting obligations will be relevant too – the ICO, the UK’s data protection regulator, will have to be notified. In effect this means that in the context of data protection, the ICO holds a regulatory function over both OESs and RDSPs. Moreover, under the NIS Regulations (regulation 3(3)(f)), in relation to the relevant sector for which it is designated, the Competent Authority is under an express obligation to consult and co-operate with the ICO when addressing incidents that result in breaches of personal data. The intention behind this regulation is undoubtedly the harmonisation of both cybersecurity and data protection systems.
POSSIBLE SANCTIONS – WHAT HAPPENS IF ORGANISATIONS FAIL TO COMPLY?
The sanctions for non-compliance with the NIS Regulations can be imposed by a number of Competent Authorities entrusted with enforcement, such as Ofcom and the ICO. The organisations must be mindful of the NIS Regulations in the event of a cyber security incident as the fines are considerable, ranging from £3.4 million where an incident causes or could cause a reduction in the provision of services for a significant period of time, to a maximum of £17 million where an incident causes or could cause an immediate threat to life or significant adverse impact on the UK economy.
Sharpe Pritchard are able to provide expert legal advice on the application of the NIS Regulations to your organisation and help design and implement processes to ensure compliance.
Hector Denfield is an Associate in the Local Government team, and Aleksandra Wolek is a Trainee Solicitor who has had worked in both the ICT and Local Government teams.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.