In August 2017 the UK government issued a consultation document on compliance requirements for the upcoming Directive on security of network and information systems (NIS Directive). There were more than 350 responses to the consultation, and the government has now released the next steps for organisations that fall under the requirements of the Directive.
Operators of essential services (OESs) and digital service providers (DSPs) will be expected to implement effective security measures appropriate to associated risks, as well as measures that minimise the impact of incidents and ensure business continuity.
The significant changes from the consultation
The most notable changes that the UK government has made to its plans for compliance with the NIS Directive are as follows:
- The thresholds required to identify operators of essential services.
- The role of the competent authority and how powers may be delegated to agencies.
- That the role of the National Cyber Security Centre (NCSC) is limited to cyber security.
- The expectations on operators within the first year or so.
- The definition of DSPs.
Scope of the NIS Directive
The thresholds for OESs being within the scope of the Directive have been clarified and the terms of definition for DSPs have been expanded upon. Organisations are within the scope of the Directive if they are identified as companies that would cause the most significant impact to the UK economy if they were to suffer a disruption to business operations.
Suppliers to identified OESs and DSPs will not be within the scope of the NIS Directive: it will be the responsibility of the organisation to ensure their supplier has appropriate security measures.
The role of competent authorities
The UK will appoint several competent authorities, and there will be “a clear separation of powers between the NCSC and competent authorities”. It is a long-standing policy that lead government departments are responsible for various risks, including cyber, and it would be inconsistent with this policy to allow the NCSC to regulate the Directive.
The NCSC will provide expert advice and incident response support to cyber incidents, while the the competent authorities will be responsible for the following:
- Designating OESs
- Requesting information related to the NIS Directive
- Directing an OES or DSP to undertake an action in relation to the NIS Directive
- Auditing, or requiring an audit, of an OES or DSP
- Monitoring the application of the NIS regulations
- Preparing and publishing guidance
- Notifying the public about an incident
- Investigating the causes of an incident
- Enforcing an instruction on an OES or DSP
- Applying a penalty on an OES or DSP
Security requirements for OESs
The government recognises the value of established cyber security standards but believes that implementing one standard won’t adequately cover the NIS Directive’s requirements. As a result, the NCSC has published 14 security principles based on existing global standards and guidance.
While no changes have been made to the proposed security requirements of OESs from the initial document, the 14 high-level security principles will apply and have been updated.
14 high-level principles
The 14 high-level principles apply to four core areas:
- Managing security risk, which involves governance, risk management, asset management and supply chain risks.
- Defending systems against cyber attack, which covers service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, and staff awareness and training.
- Detecting cyber security events, which involves security monitoring and anomaly detection.
- Minimising the impact of cyber security incidents, which includes response and recovery planning and improvements.
Cyber Assessment Framework (CAF)
The NIS Cyber Assessment Framework (CAF) will be published by the end of April 2018. The CAF will be used by competent authorities to determine acceptable levels of cyber security under the NIS Directive, and audit/assess how organisations apply the 14 security principles.
Incident reporting procedures for OESs
The incident reporting guidance for OESs has been simplified to help organisations and competent authorities determine which incidents to report. The competent authorities will follow this by determining the incident reporting thresholds for each sector, and these thresholds will be published by May 2018.
The incident reporting structure has been broken down into two sections:
- Incident response – a support function where the NCSC should be approached for cyber-related incidents, and the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
- Incident notification – a regulatory process for reporting incidents to the competent authority, which will then decide if a follow up investigation is required.
Like the GDPR, organisations must make notifications “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident”.
Security requirements for DSPs
The European Commission has published a draft implementing regulation that details the security measures and incident reporting thresholds for DSPs. The draft implementing regulation has not yet been approved by Member States.
Penalty regime for non-compliance
Penalties for those organisations that fail to comply with the regulations are intended to motivate organisations to enhance their cyber resilience while remaining proportionate to the potential risks.
Despite believing that linking the penalties of the NIS Directive compliance with those of the GDPR is the right approach, the government has taken into consideration the public feedback on what they initially proposed as penalties for non-compliance and has made amendments to the penalty regime.
Firstly, there will be no fines based on percentage of global turnover, and secondly the maximum penalty has been reduced to £17 million. The new penalty regime reads:
a maximum financial penalty of £17m, which will cover all contraventions, such as (for example) failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures.
No double jeopardy
It is important to also note that although OESs and DSPs cannot face penalties for the same offence twice, ‘double jeopardy’ cannot be completely removed as there may be reason for an organisation to be penalised under different regimes.
It’s time to prepare for the NIS Directive
With the UK government preparing compliance requirements for the NIS Directive, and knowledge of the financial penalties that organisations will be facing, preparations for the NIS Directive should be high on the agenda for organisations within its scope. Competent authorities will now start reaching out to all relevant OESs to encourage them to start working towards compliance.
An initial self-assessment has been proposed for OESs to get a clear picture of their security posture.
Although the government has indicated that the focus of the first year will be mostly to provide support and guide OESs on achieving compliance, it has made it clear that even in the first year competent authorities will be entitled to issue penalties for significant non-compliance.
How to get started
Operators should be looking to develop a resilient posture that combines best practice from leading international standards, as highlighted in the high-level security principles.
Organisations looking for guidance on how to meet the guidelines will find that the principles are already heavily aligned with international information security standard ISO 27001 its guidance (ISO 27002), its risk management companion (ISO 27005) and its incident response management guidance (ISO 27035).
Combining a regime of regular penetration testing, cyber incident response management and an effective business continuity management system as outlined by the business continuity management standard, ISO 22301, will enable businesses to ensure compliance with the NIS Directive.
IT Governance offers a total cyber resilience solution to help you meet your obligations and ensure continued compliance.