What... more rules? New cyber rules apply from 10th May 2018
The Network and Information System Regulations 2018 came in on 10th May 2018… and because everyone was focused on GDPR, many didn’t notice. The good news is that, as specialist IT and cybersecurity specialists, here at Clayden Law, we did… and we’ve written a short guide to them here. The full rules can be found, and read, here.
Designed as a reaction to the increasing number of cybersecurity incidents which do not respect national boundaries, the Regulations are design to improve the security of systems across the UK, as well as increasing cooperation throughout the EU. The Regulations impose security and breach notification obligations on “Operators of Essential Services”, and “Relevant Digital Service Providers”, and appoint sector specific regulators (known as designated competent authorities) to enforce these.
Clear as mud… so what do you need to do?
First, you need to know if you are considered an Operator of Essential Services. In most cases operators in the energy, transport, health, drinking water and digital infrastructure sectors are likely to be ‘in scope’ - the Regulations have some quite detailed provisions outlining what is considered “essential”. For example, if you are rail operator, if you carry more than a certain amount of passengers per year, then you will be in scope. In addition, in some cases, competent authorities can designate an operator that doesn’t meet the criteria as an OES, if there is a legitimate reason. Basically, they’re trying to ensure that all organisations involved in ‘essential services’ are bound by these Regulations.
If you discover that you are within this scope, then you have until 10th August 2018 to notify your competent authority.
If you don’t actually meet the threshold for qualification, but are worried that your area of work might mean that you could be designated as an OES you can start preparing your response and written documentation.
The NIS Regulations require you to put in place ‘appropriate and proportionate technical and organisational measures’ so as to manage the risks posed to your network and information systems. The objective is, of course, to prevent and minimise the impact of any incidents. The wording has echoes of GDPR but be aware that Regulations are not limited to dealing with personal data breaches, but any cybersecurity incident, whether or not involving personal data.
The Regulations also require you to ‘have regard’ to available guidance… and where better place to start than the NCSC https://www.ncsc.gov.uk/guidance/nis-guidance-collection.
The Regulations require you to notify your competent authority (without undue delay, and within 72 hours) about any incident which has a significant impact on the continuity of the essential service they provide. This would be termed an ‘NIS incident’. Competent authorities need to, in turn, share this information with the national Computer Security Incident Response Team (or ‘CSIRT’, which in the UK is the NCSC). They will then make a decision about whether the general public needs to be informed about this NIS incident.
A regulator has the power to serve an information notice on your organisation, requiring you to provide information, both to help it assess whether you should be an OES or to assess your security.
Regulators also have the power to inspect and audit (at your cost) how well you’re complying with the Regulations and to serve an enforcement notice (or fine up to £17 million) for breach of duties. You can challenge this decision in writing, within 30 days of its receipt. Also, be aware that if the security incident involves personal data as well, the prospect of being fined under the Regulations AND GDPR is entirely possible.
We’re afraid the next point brings us back to GDPR. To manage all of this, you need to make sure you have sufficient security measures and breach notification in place. GDPR preparations should help with this but they won’t cover all areas of breach or risk (on the basis that the Regulations are not just concerned with personal data security breaches).
Consider your supply chain. Whilst the NIS Regulations don’t specifically cover sub-contractors, this is an important area for consideration. It makes sense to check that that your suppliers have sufficient security protections in place, and notify you of any incidents, so that they have the chance to satisfy their own breach notification requirements. You might also want to check that the audit provisions in your supply arrangements are wide enough to allow you to get hold of all the information and access you might require, in the event of an inspection.