UK Government seeks opinions of industry and regulators on plans to transpose Network and Information Systems (NIS) EU Directive (NIS Directive) into UK law.

Matt Hancock MP, Minister of State for Digital, has issued an open consultation to UK organisations and other interested parties following the NIS Directive adopted by the EU Council of Ministers on 17^th May 2016 (see our previous blog post here).

The consultation comes as part of Government plans for the UK to consolidate its current position as the largest internet economy in G20, working alongside the implementation of the GDPR into domestic legislation with the recent Data Protection Bill proposal (see our previous blog on the GDPR here).

This consultation is especially significant in the wake of a spate of increasingly menacing cyber-attacks, including the hacking of the television network HBO, the WannaCry ransomware attack and the 2016 infiltration of US water utilities.

What are the aims of the Government in transposing the NIS into UK law?

Particular focus has been placed on essential services (energy, health, transport, water, and digital infrastructure) which, if disrupted, could have serious implications for the UK economy.

The Government has bracketed its aims into three general areas as part of its National Cyber Security Strategy:

• Defend: the UK has the means to protect against and repel high-level cyber-security threats.
• Deter: the ability to detect and disrupt hostility taken against UK cyberspace, and to take counter-offensive action if necessary.
• Develop: Facilitate research into cyber-security counter-measures that will enable the UK to fulfil its national requirements across the public and private sectors as outlined in the NIS Directive.

What about Brexit?

As EU member states are required to transpose the NIS Directive into national laws by 9 May 2018, the law will come into effect in the UK before the Brexit deadline.

What does the Government seek counsel on?

Amongst other measures, they seek comment on the proposed alterations and conditions for transposing the NIS Directive into UK law, namely:

• How to impose the essential services it is obligated to cover.
• Which bodies/authorities ought to regulate and audit the NIS Directive.
• The penalty for a breach of obligations.
• The security requirements of these regulatory bodies.

How does the Government propose to implement the NIS Directive into domestic legislation?

Notable government proposals relating to key areas are:

• Essential services: under the NIS Directive, the UK must identify the “operators of essential services” (OES) functioning within its territory, the principle criterion being whether the service in question is vital to the economic or societal welfare of the UK.
• Security requirements for OES: the UK Government proposes to implement these provisions on two levels; firstly, and predominantly, by outlining a set of general principles which organisations must adopt. Complementing these principles, more detailed sector-specific guidance will be published, to be updated when necessary in view of the nature of individual threats. One potential shortcoming that may arise is the high cost that such requirements would demand, something that could ultimately affect the sector as a whole. Whether such costs would be justified is included in the Government’s consultation document.
• Competent authorities: as an aspect of its national security framework, the UK proposes to establish one or more “computer security incident response teams” (CSIRTs) who will be responsible for handling any cyber-incidents that may arise.
• Penalty regime: in a similar vein to the GDPR penalties, a high bar has been set for the maximum penalty for organisations who fail to meet the obligations and requirements as outlined in the NIS Directive. Failure to implement suitable security measures can result in a penalty of up to €20 million or 4% of global turnover.

W&B comment

Few would dispute that the borderless nature of major cyber security attacks requires a sophisticated and coordinated response between governments of affected countries. The UK Government’s consultation on implementing the NIS Directive is yet further evidence that, following Brexit, there will be an even greater need for enhanced cooperation between the UK and other EU member states to promote a secure digital economy across Europe.