Go back to menu

Government sets out cybersecurity plans for UK essential services

Consultation launched on approach to UK implementation of EU NIS Directive

08 August 2017

The Department for Digital, Culture, Media and Sport are consulting on the Government’s plans to transpose the Network and Information Systems (NIS) Directive into UK legislation. The Directive introduces cybersecurity-related obligations for operators of essential services, i.e., entities that depend on networks to provide services essential for the maintenance of critical activities, in sectors such as transport (e.g. air carriers, airport managing bodies); energy (e.g. electricity, oil, gas operators), finance (e.g. credit institutions), health (e.g. hospitals and private clinics), digital service providers (e.g. e-commerce, cloud computing and search engine operators). It is left to the Member States to identify operators of essential services (OES) with an establishment on their territory. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards.

The UK Government supports the aims of the NIS Directive and in this consultation has set out its plans to transpose the Directive into UK law.

The consultation covers:

The essential services the directive needs to cover

According to the Directive an ‘operator of an essential service’ is a public or private entity that meets the following criteria: provides a service which is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident affecting those systems would have significant disruptive effects on the provision of that service.

The Government’s proposed approach to determine these operators is to use the following four criteria:

• sector - the broad part of the UK’s economy;

• subsector - specific elements within an individual sector;

• essential service - the specific type of service;

• identification thresholds - criteria to identify essential operators (for example through size or the impact of events seeking to prevent).

The penalties

The Government proposes to have two bands of penalties under the NIS Directive:

Band one - set at a maximum €10 million or 2% of global turnover - for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority.

Band two - set at a maximum of €20 million or 4% (whichever is greater) - for failure to implement appropriate and proportionate security measures.

These are the maximum penalty levels, and it is expected that mitigating factors including sector-specific factors will be taken into account by the competent authority when deciding appropriate regulatory response.

The competent authorities to regulate and audit specific sectors 

The Government proposes having multiple sector specific competent authorities that can use their knowledge and sectoral expertise to improve security in individual sectors. These will be supported by the Nominated Computer Security Incident Response Team (CSIRT), and Single Point of Contact (SPOC) - The NCSC, as the UK’s technical authority on cyber security issues, is proposed as the UK’s CSIRT and SPOC.

The security measures we propose to impose 

The  Government proposes to implement these provisions through a guidance and principles based approach, in which the Government and NCSC will set out the high level security principles (set out in the consultation paper), which will be complemented by more detailed guidance, that will be either generic or sector specific. OES will be expected to meet the high level principles from the time that the legislation comes into effect (10 May 2018).

Timelines for incident reporting 

Whilst the directive does not set any specific timeframe within which incidents should be reported, the Government is  proposing that OES must report an incident "without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of an incident. "

How this affects Digital Service Providers

The Government sets out how it plans to define digital service providers (online marketplaces, online search engines, and cloud computing services) and their security requirements and incident reporting responsibilities.

Announcing the consultation Minister for Digital Matt Hancock said: "We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards. The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim."

The consultation is open until 30 September 2017.

The NIS Directive, once implemented, will form an important part of the Government’s five-year £1.9 billion National Cyber Security Strategy.  

The Government has separately set out its plans for a new Data Protection Bill which will transpose the General Data Protection Regulation (GDPR) into UK law.