Network and Information Systems Regulations (NIS) 2018
Cyber security becomes serious
24 May 2018
The Network and Information Systems Regulations (NIS) 2018 came into force on 10th May 2018. The legislation applies the EU's Network and Information Security (NIS) Directive which aims to raise levels of the overall security and resilience of network and information systems across the EU.
- set out the UK's national NIS strategy;
- identify the UK's single point of contact [GCHQ];
- identify the UK's Computer Security Incident Response Team [GCHQ];
- identify the UK's national competent authorities for Energy; Transport; Health; Drinking Water Supply and Distribution; and Digital Infrastructure subsectors. (Whilst listed as sectors in the NIS Directive, the NIS regulations, in line with Recital 9 and Article 1(7) of the NIS Directive, do not set out any criteria for identifying and regulating those in the banking sector and the financial market infrastructures sector, as equivalent EU legislation - for example PSD2 - already applies);
- identify the criteria in each subsector for identifying operators of essential services (OES);
- set out the duty to notify incidents;
- set out what digital service providers are and their requirement to notify cyber incidents;
- set out the enforcement regime and penalties for failure to comply with the regulations.
The regulations apply to those sectors which are vital to the economy and society such as Energy; Transport; Health; Drinking Water Supply and Distribution; and Digital Infrastructure.
The regulations cover relevant digital service providers (RDSP) and operators of essential services (OES). RDSPs, except for micro and small businesses (those with fewer than 50 staff and/or a turnover of €10m a year), are directly subject to the new rules, whilst the regulations provide the relevant UK authorities the power to designate which organisations are to be classed as OES.
The Regulations require organisations identified as OES to take appropriate and proportionate measures to:
- manage risks posed to the security of the network and information systems on which their essential services rely;
- prevent and minimise the impact of incidents on the delivery of essential services;
- report serious network and information incidents that impact on provision of the essential service.
The OES will be regulated by Competent Authorities (CA) who will have the power to issue guidance, inspect organisations and take enforcement action (including imposing penalties of up to £17 million) where necessary.
Oversight & Monitoring
For CAs regulating OES, active oversight will be expected. In its guidance to CAs, the Department for Culture, Media and Sport (DCMS) said CAs should proactively engage with industry, publish guidance, meet with representatives from OES, and implement an assessment framework including an audit programme.
This is different for RDSPs where the Information Commissioner’s Office (ICO) will be limited to post-ante oversight. The DCMS guidance still recommends the ICO provides guidance and support to DSPs.
Enforcement & Penalties
According to the DCMS guidance CAs should not rush to take action just because an incident has been reported. An incident is not by itself an infringement of the NIS Regulations, and that the key factor for determining enforcement action is whether or not appropriate and proportionate security measures and procedures were in place and being followed.
CA's have a lot of flexibility under the regulations when it comes to the exact form that any enforcement action takes. Information Notices and Enforcement Notices are both available as well as financial penalties. The DCMS guidance recommends Competent Authorities should implement a stepped process of enforcement in which OES and DSPs are given warnings, and that CA's publish their enforcement policy so that OES and DSPs are clear as to the approach being taken.
The regulations set out a tiered system of financial penalties, capping the potential fines that CAs can impose for different breaches of the regulations
- not exceed £1,000,000 for any contravention which the enforcement authority determines could not cause a NIS incident;
- not exceed £3,400,000 for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in a reduction of service provision by the OES or RDSP for a significant period of time;
- not exceed £8,500,000 for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in a disruption of service provision by the OES or RDSP for a significant period of time;
- not exceed £17,000,000 for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy
The Brexit Effect
The UK currently remains a full member of the European Union and all of the rights and obligations of EU membership remain in force, including under the NIS Directive.
The outcome of on-going negotiations on the future UK-EU partnership will determine what arrangements apply in relation to EU legislation once the UK has left the EU. However, it is the UK Government’s stated intention that on exit from the EU the policy provisions of the NIS Directive will continue to apply in the UK.
Competent Authority (CA) Guidance
A key part of the functioning of the Regulations will be how the sector CA assess and enforce the regulations. CAs are strongly encouraged to use the National Cyber Security Centre's Cyber Assessment Framework (CAF) as part of their toolkit in order to provide consistency across sectors and the UK.
Ofcom, The Department of Health and Social Care (DHSC), and the Department for Transport (DfT) have published guidance thus far.
The UK Communications regulator, Ofcom, who are the CA for the Digital Infrastructure sector, have published interim guidance for Operators of Essential Services (OES).
Ofcom's interim guidance:
- gives a high-level introduction to the NIS Regulations;
- sets out Ofcom's initial views on the immediate steps we expect the OES in the digital infrastructure subsector to take, as a minimum, to meet their obligations under the NIS Regulations;
- provides information about which types of operators on which duties have been imposed under the NIS Regulations;
- sets out the process and thresholds for reporting relevant security incidents that such operators must initially follow;
- introduces Ofcom's intended initial enforcement approach.
OES “deemed to be designated” for the digital infrastructure subsector are: -
- Top Level Domain Name Registries (who service an average of 2 billion or more queries in 24 hours for domains registered within the Internet Corporation for Assigned Names and Numbers);
- Domain Name Service Providers (which service an average of 2,000,000 or more requesting DNS clients based in the United Kingdom in 24 hours; or are servicing 250,000 or more different active domain names);
- Internet Exchange Point Operators (IXP Operators who have 50% or more annual market share amongst IXP Operators in the United Kingdom, in terms of interconnected autonomous systems, or who offer interconnectivity to 50% or more of Global Internet routes).
Anyone meeting these criteria on 10th May 2018 is deemed an OES as are required to notify Ofcom by 9th August 2018 of this fact. Anyone meeting the criteria after the 10th May 2018 has a duty to notify Ofcom within three months after the date the criteria was met.
Ofcom states that it currently expects enforcement to be broadly in line with the approach set out in its Enforcement guidelines for regulatory investigations and it will review in due course whether this approach needs adapting.
The Department of Health and Social Care (DHSC), who are one of the CAs for the health sector, will be responsible for overseeing the operation of the NIS Regulations within the sector. It has published guidance on the NIS Regulations.
NHS Trusts and Foundation Trusts are considered OES for the health sector in England for the purposes of the NIS Regulations. The Department will also designate other NHS healthcare providers, as OES and those organisations will be individually notified.
DHSC's implementation of the NIS Regulations will be to incorporate its requirements into a wider approach to implementing the National Data Guardian’s 10 data security standards. These data security standards apply to all health and care organisations to ensure that systems and data are protected. While the NIS Regulations will only apply to organisations considered OES, the 10 data security standards and wider regulatory framework, including the General Data Protection Regulation (GDPR), apply to all health and care organisations.
NHS Digital will publish guidance on implementing the 10 data security standards, incorporating the requirements for fulfilling the security duties of the NIS Regulations. This guidance will be accessible through the Data Security and Protection Toolkit.
The Department for Transport (DfT) who are one of the CAs for the transport sector have published guidance aimed at those organisations that are designated as OES.
- Sets out the responsibilities of OES.
- Sets out as the roles and responsibilities of the CA and how these will be carried out, with particular focus on the first year post-May 2018.
- Sets out the process and thresholds for mandatory incident notifications.
Further to this, it contains specific guidance for each transport mode and provides clarity on how the NIS Regulations will align with any existing guidance, standards or regulations related to network and information system security.
The types of organisations in scope within the transport sector are:
- Owners or managers of airports;
- Air navigation service providers;
- Air carriers;
- Harbour authorities;
- Shipping companies;
- Operators of port facilities;
- Operators of vessel traffic services;
- Operators of railway assets (trains, networks, stations and light maintenance depots) for domestic and international rail plus some light rail and underground services;
- Roads authorities and operators of intelligent transport systems.
Specific thresholds will apply to many of the above types of entities, which are generally based on the scale of the operation in terms of annual passenger numbers or freight tonnage. For domestic and international rail there are no specific thresholds and so any entity that meets the definitions will be in scope.
The DfT has set out its expectation for how the process to assess OES will operate during its first year and beyond:
- From 10th May: incident notification requirements need to be followed.
- May–June 2018: NCSC will run a CAF pilot within the transport sector. The initial version of the CAF has been published.
- July 2018: the DfT Cyber Compliance Team (CCT) begin site and organisational visits to OES in rail, maritime and roads sectors to introduce themselves and offer support throughout the self assessment period.
- July 2018: (This is the earliest date and may be subject to change based on feedback from pilot): CAF rolled out for self-assessment with guidance to rail, maritime and roads OES.
- July 2018: (and each year after): CCT to submit annual report of NIS incidents to the SPOC, for them to submit to the European Commission in August 2018 and every year thereafter.
- September 2018: (interim milestone - may be subject to change based on feedback from pilot): OES may find it useful to have identified their critical systems and discussed this list with the CCT by this point.
- November/December 2018: (may be subject to change based on feedback from pilot): deadline for self-assessments and initial supporting evidence to be provided by OES to the CCT.
- November 2018: (and biennially after): report of the number of OES and the thresholds for identification submitted to the EU by the SPOC.
- January 2019: the CCT to engage with OES to discuss findings of self-assessments and request further evidence if required. The CCT will prioritise OES programme of engagement based on risk, self-assessments and other factors.
- May 2019: the CCT will begin follow-up audits where required.
- May 2019: the CCT will conduct a full review of incident notification thresholds.
Guidance from the Department for Business, Energy & Industrial Strategy, and Ofgem in relation to the oil, gas and electricity sub sectors and the Department for Environment, Food and Rural Affairs for drinking water supply and distribution are expected shortly.