Firms must be ready for new IT security measures or face penalties
THE large-scale WannaCry and NotPetya ransomware cyber attacks on the NHS (and others) raised the stakes for cybersecurity enormously. They brought home the fact such attacks can affect us in the most fundamental ways – by closing doctors’ surgeries or forcing hospitals to cancel operations.
So how can so-called “critical infrastructure” be better-prepared to deal with threats like this? How can we stop attacks on IT infrastructure triggering power failures or, as was suggested last week, potentially even setting off a nuclear missile?
In the UK, a consultation on The Directive On Security Of Network And Information Systems (NIS Directive) took place last autumn to try to start answering these questions.
The NIS Directive will introduce security measures and incident reporting obligations for “operators of essential services”. As well as health and energy, this would include transport networks, water suppliers and distributors, and banking and financial infrastructure – although the latter are likely to benefit from certain exemptions. NIS also regulates digital service providers (DSPs), such as online marketplaces, cloud computing providers and search engine operators.
Each EU country is responsible for identifying companies that should be subject to the new rules. Businesses operating in a critical category and on the list must take appropriate security measures and notify the relevant national authority (the Information Commissioner’s Office in the UK) within 72 hours of becoming aware of a significant incident.
There are exemptions, including
DSPs with fewer than 50 employees and an annual balance sheet under
€10 million. Another exemption is likely to apply to banking and financial services where current requirements might exceed what is required under the Directive. Where this is the case, firms will be exempt, if provisions at least equivalent to those specified in the Directive already exist by the time it comes into force. However, firms and financial market infrastructures must continue to adhere to requirements and standards set by the Bank of England and Financial Conduct Authority.
The UK Government has not yet issued a formal response to the consultation, which has been quickly followed by another, ending on February 13. This looks specifically at how the European Commission should reform ENISA (the EU Cybersecurity Agency) and establish a framework to govern European cyber security.
After the second consultation closes, the UK Government has less than three months (until May 9) to implement the NIS Directive.
Given the tight timescales, and the prospect of sanctions for operators of essential services and DSPs who don’t comply, businesses must be ready. If they are uncertain how NIS might affect them, taking advice on implementation, readiness and compliance should be high on the agenda.
Businesses could face the same maximum penalties as they will for failing to implement the much-discussed General Data Protection Regulation (€20 million or four per cent of global annual turnover, whichever is higher) – so it is vital for those affected to consider the NIS Directive alongside GDPR. A failure to do so could be damaging – for business, wider cybersecurity and public confidence.
Each EU country is responsible for identifying companies that should be subject to the new rules
Callum Sinclair is a Partner and Head of the Technology Sector at Burness Paull LLP.