Public consultation – the Directive on Security of Network and Information Systems

Greater Birmingham Chambers of Commerce

A public consultation document has been published on the implementation of the European Union’s Directive on the Security of Network and Information Systems (NIS).

The Greater Birmingham Chambers of Commerce are now looking to collate a response from our members.

The NIS directive addresses the increase in the frequency, magnitude and impact of attacks on network and information systems, given the economic and societal impact such a security incident could have on Member States and the European Union as a whole.

Recent crises have included the 2017 worldwide WannaCry attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network.

Network and information systems- particularly the internet- play an essential role in facilitating the movement of goods, services and people.

The NIS directive crucially prescribes harmonised measures for ensuring sufficient cybersecurity across critical IT systems in central sectors of the economy, including banking, financial market infrastructures, energy, health, water, transport and digital infrastructure.

It has been confirmed that the directive will be transposed into law by March 2018 in the United Kingdom, despite Brexit. The new directive, coupled with the General Data Protection Regulation (GDPR) will come into full effect in May 2018 (see the GBCC briefing paper on GDPR here).

The NIS Directive only affects essential service providers and some digital service providers (DSPs). Member states are to identify essential service providers by the following criteria:

“(1) The entity provides a service which is essential for the maintenance of critical societal/economic activities;

(2) The provision of that service depends on network and information systems; and

(3) A security incident would have significant disruptive effects on the provision of the essential service.” [1]

The Directive identifies DSPs as:

“(1) online market places;

(2) online search engines;

(3) cloud computing services” [2]

(For more detailed guidance, examples and sector-specific exclusions to the categories above, refer to the directive. These exclusions predominantly apply where other EU legislation is deemed overriding). [3]

The basis of high level principles and guidance on security measures for organisations within these categories is a matter raised in this public consultation.

Part of the consultation also revolves around categorising organisations as essential service providers, and government powers to designate specific operators as providing essential services.

The NIS Directive requires essential service operators relying on a DSP for the provision of their essential service, to notify the relevant authority of any incidents affecting that DSP which has ‘significant impact’ on said provision. To this end, essential service operators under the directive ought to ensure that contracts with DSPs provide that DSPs must notify them of such incidents. The standard scope of these contractual obligations – what qualifies as a relevant incident to be reported– is another issue raised in the consultation, along with timeframes for reporting incidents.

The NIS Directive places requirements on essential service providers to update their security, breach detection and systems for managing breaches. If they rely on external DSPs, contracts may need updating. Cyber-insurance and external, off-network backups may be advisable for some essential service providers.

Chamber member Ernst & Young have outlined the consequences and approach of the NIS Directive, and advise businesses on how to prepare for the implementation of the Directive here.

This public consultation sets out proposals as to penalties for breaches under the NIS directive. Some organisations could face a fine of €20m or 4% of global turnover (whichever is greater) for failure to implement appropriate and proportionate security measures.

In 2016 a government report was published – The Cybersecurity Regulation and Incentives Review (here) – which concluded “additional cyber security regulation on organisations across the wider economy [beyond those set by GDPR and the NIS Directive] is not currently justified.”

Approaches to cybersecurity such as setting out "specific cyber controls, risk management practices or systems testing" and making cyber insurance cover mandatory were formally been dismissed. Similarly, the government reported it will not follow suggestions of Individual Director liability for cybersecurity failings, mandated annual cyber risk reporting or an “enhanced tax relief” for organisations certified under a ‘Cyber Essentials’ (or alternative) scheme.

The GBCC will continue to keep members up to date on new cyber-security legislation.

The NIS directive can be found here, and the public consultation document here.

Businesses are encouraged to read through the proposals and submit any thoughts or concerns to myself:

Emily Stubbs
Policy and Patron Advisor
Greater Birmingham Chambers of Commerce

Please note, the deadline for responses is 30th September 2017, and we require member input to a GBCC response by COP 22nd Sept 2017.

These can be incorporated into a Greater Birmingham Chamber of Commerce response and anonymised.

[1] Europa
[2] Security of Network and Information Systems Public Consultation 
[3] Directive on Security of Network and Information Systems, Recital 9