EU Directive Security of Networks & Information Systems (NIS) was a response from the EU to concerns about cyber security impacts on key infrastructure within the EU and the impacts that this would have on its citizens.
Member states were given 21 months to implement the Directive into their domestic legal framework and England and Wales did this in May 2018. Some may say the arrival of the GDPR over shadowed this related but important piece of legislation for certain industry sectors.
Key Points:
– NIS impacts on service providers in “vital sectors”, these include healthcare and utilities.
– NIS impacts on Digital Service Providers, (“DSP’s”) which applies to all that employ more than 50 people and Turnover / Balance sheet value is greater than 10m euros.
– NIS sets up National Cyber Security Strategy which is committed to making the Internet a more secure environment in the UK through the promotion of technological innovation.
– Requires “qualifying” DSP’s and “vital sectors” to:
– Apply and implement technical measures to secure networks and systems;
– Implement risk management systems;
– Take measures to prevent and minimise impact of security incidents; and
– Report Security Incidents without delay (over and above any report that may need to be made to the ICO under the General Data Protection Regulation.
– Introduces a new fine structure up to £17m for breach of its outcomes
The impact of NIS must therefore be considered for all those in the energy, transport, health water sectors as well as those “qualifying” DSP’s. It should also be considered to those that are connected to the supply chain for these sectors. The Cyber Security Framework (“The CAF”) has been established by the National Cyber Security Centre, which is in response to the obligation under NIS for competent authorities to assess compliance of NIS by those caught by it.
The CAF sets out indicators of good practice which are designed to assess whether or not compliance with the outcomes of NIS are being achieved.
If your business provides services to those sectors, or if you are a qualifying DSP you must ensure that your contractual frameworks support the new law and manage the risk associated with non-compliance of NIS as a separate exercise to ensuring compliance with the GDPR and the new Data Protection Act 2018.
If disposing of your business, be prepared for enhanced due diligence and be prepared to show and demonstrate compliance – if acquiring, make sure your legal team are able to advise on the practicalities and deal with any risk.
9th July 2018