The British government is consulting on how to best implement the EU’s Network and Information System’s (NIS) directive, which focuses on boosting cyber defences for key service providers. One of the proposals is that firms could face fines of up to £17 million or 4% of global turnover, if they are proven to not have taken effective cyber security measures.
The directive is aimed at organisations that “provide a service which is essential for the maintenance of critical societal and/or economic activities”, and so will impact those operating in the electricity, transport, water, energy, transport, health and digital infrastructure sectors.
NIS shouldn’t be confused with the EU’s upcoming GDPR regulation, which allows the government to impose similar sized fines on firms for not effectively protecting data.
The government said today that fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.
In a foreword to the consultation documents, Minister of State for Digital, Matt Hancock, said:
Our modern economy, and the economic security it brings, are all themselves based on secure infrastructure. Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity, water, and health services, to the provision of passenger and freight transport.
Their reliability and security are essential to economic and societal activity, and the functioning of UK and European markets. Such systems can be a target for malicious actors that intend to damage or interrupt their operation through cyber attacks. Some systems may also be single points of failure for essential services and may be susceptible to other forms of compromise such as power failures, hardware failures and environmental hazards.
Adverse incidents affecting such systems could cause significant damage to the UK economy, impeding economic activity and undermining user confidence, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that can result from adversely affected network and information systems.
The recent WannaCry attack hugely impacted the National Health Service (NHS) in the UK, with a number of Trusts reporting problems, resulting in hospitals having to cancel treatments and divert patient care.
The consultation document recognises that despite the result of the EU referendum last year, and the UK’s decision to leave the European Union, it adds that the government will continue to implement and apply EU legislation whilst negotiations take place. The documents also highlight that the government believes the NIS directive is the right approach to protect the country’s digital infrastructure. It states:
It is the UK Government’s intention that on exit from the European Union this legislation will continue to apply in the UK. It is important to note that the Government supports the overall aim of the NIS Directive and believes that strengthening the security of network and information systems supporting the UK’s essential service and digital service providers is consistent with the Government’s aim to ensure the UK is secure and resilient to cyber threats, prosperous and confident in the digital world.
The NIS Directive, once implemented, will form part of the Government’s five-year £1.9 billion National Cyber Security Strategy. It aims to compel essential service operators to make sure they are taking the necessary action to protect their IT systems.
The regulation will require operators to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
The government states that “any operator which takes cyber security seriously should already have such measures in place”.
The government announced its five-year National Cyber Security Strategy (NCSS) in November 2016, which the Chancellor committed £1.9 billion of investment towards. Key to the strategy was the opening the National Cyber Security Centre, which is based out of Victoria in Central London and aims to be the UK’s “outward facing authority on cyber”.
Commenting on the announcement today, NCSC CEO Ciaran Martin said:
We welcome this consultation and agree that many organisations need to do more to increase their cyber security.
The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone.
Everyone has a part to play and that’s why since our launch we have been offering organisations expert advice on our website and the Government’s Cyber Essentials Scheme.
The Government will shortly hold workshops with operators so they can provide feedback on the proposals and the full consultation documents can be read here.
Image credit - Images free for commercial use