What is the NIS Directive?
The Network and Information Systems (NIS) Directive requires UK operators of essential services to manage their cybersecurity appropriately so that critical national services are not seriously affected in the event of a cyber incident.
The directive came into UK law on 10 May 2018 and was introduced alongside the General Data Protection Regulation (GDPR). While GDPR addressed the privacy and data protection of all individuals the NIS Directive only applies to organisations that provide critical national infrastructure. The purpose of the Directive is to improve the cyber security of organisations that deliver key parts of the UK’s critical national infrastructure.
The directive applies to two groups of organisations: Operators of Essential Services (OES) and Digital Service Providers (DSP). OESs are drawn from the energy, transport, health and drinking water sectors while DSPs provide key aspects of the UK’s internet infrastructure.
In order to be within the scope of the directive the OES or DSP needs to be of a size and importance where their failure would have significant national consequences. The threshold requirements that determine if an operator is an OES can be found here.
OESs and DSPs are overseen by a sector specific Competent Authority (CA). The CA is typically assigned to a Secretary of State but with the responsibility devolved to existing bodies such as OFGEM. The CA are responsible within their relevant sector for reviewing the application of the Directive, maintaining a list of designated OES/DSPs and for issuing advice and guidance.
CAs also have the statutory power to designate an operator as an OES/DSP even if that operator does not fall within the threshold requirements. They also have the power to demand information, inspect, enforce and fine.
OES/DSPs have a number of responsibilities under the Directive. They are required to:
- Notify their relevant CA by 10th August 2018 that they meet the threshold requirements and are therefore a designated OES/DSP.
- Conduct appropriate and proportionate risk management in the operation of the IT systems that the essential services they deliver rely upon.
- Conduct appropriate and proportionate measures to minimise the impact that incidents affecting their IT systems will have on their ability to deliver the essential services.
- Notify their relevant CA within 72 hours of becoming aware of any incident which has a significant impact on the continuity of the essential service.
In simpler language, the people who provide essential services to the UK are required by law to manage their cyber security risks to reduce the likelihood of an incident affecting those services. They must also take measures to reduce the impact of an incident should it occur and must report it within 72 hours.
In theory the maximum fine that an OES or DSP can incur is £17m although this is only for incidents that have, or could have, resulted in an immediate threat to life or significant adverse affect on the UK economy. Disruptions to services that are less serious can result in a maximum fine of £8.5m.
Most CAs appear to be approaching the implementation of the Directive in an educational manner and so fines are probably unlikely in the immediate future. As time progresses however their tolerance for contraventions will likely decrease.