9 May 2018 marked the deadline for EU member states to transpose the Directive on security of network and information systems (NIS Directive) into national law; in the UK, the Directive was transposed as the Network and Information Security Regulations 2018 (NIS Regulations). However, while many organisations are prioritising the EU General Data Protection Regulation (GDPR), there is little commotion about the NIS Regulations.
In part, this is because EU member states have until November 2018 to name the operators of essential services (OES) they deem to be within scope. Many healthcare settings have been identified by NIS Regulations as being within the UK’s scope. Although already scarce as organisations look to address the GDPR, resources will need to be set aside to ensure compliance with the NIS Regulations before the deadline.
Who needs to comply?
The NIS Regulations applies to two types of organisations: OES and digital service providers (DSPs). Healthcare organisations within scope as OES have been defined as follows:
- In England: Providers of non-primary NHS healthcare commissioned under the National Health Service Act 2006 as amended in England (but not including any individual doctors providing such healthcare).
- In Wales: Local health boards and NHS trusts (defined by the National Health Service (Wales) Act 2006).
- In Scotland: The 14 territorial health boards; the following four special NHS boards: NHS National Waiting Times Centre, NHS24, Scottish Ambulance Service and The State Hospitals Board for Scotland; and Common Services Scotland (known as NHS National Services Scotland).
- In Northern Ireland: Health and social care trusts (defined by Health and Social Care (Reform)The Directive does not apply to ‘small and micro enterprises’, which the UK government identifies as organisations with fewer than 50 employees and with an annual turnover and/or balance sheet total of less than €10 million (about £8.8 million).
Reports indicate that 432 UK business will need to comply with the NIS Regulations; of these, more than 60% fall within the healthcare sector.
Overview of the NIS Regulations
The NIS Regulations require OES and DSPs to:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Take into account the latest developments and consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Designated competent authorities will oversee OES’ compliance with the NIS Regulations.
As the GDPR’s 25 May deadline approaches, most organisations are aware that they need to comply. For health and social care organisations still looking at how to achieve this, IT Governance provides a compliance checklist.
The requirements of the NIS Regulations and the GDPR overlap in many places, which has inevitably led to questions about whether an organisation can be fined twice for the same incident.
The UK government insists this won’t be the case – at least, in most instances. However, it has conceded that organisations could be penalised under both regimes for the same event if the penalties relate to different aspects of the wrongdoing and have different effects.
The penalties for breaches of the GDPR and NIS Regulations are severe. The GDPR gives supervisory authorities the power to levy fines of up to €20 million (about £17.6 million) or 4% of annual global turnover – whichever is higher. The NIS Directive allows member states to set their own thresholds. In the UK, the maximum penalty is £17 million.
More information on fines can be found in the blog: ‘NIS Directive and GDPR double jeopardy: Can you be fined twice for the same breach?’
UK compliance guide
Organisations that need to comply with the NIS Regulations should consider how they can align that compliance project with their GDPR one. By avoiding having to take the same steps twice, organisations can achieve a cost-effective programme that satisfies the NIS Regulations and the GDPR, and work towards Data Security and Protection (DSP) Toolkit compliance.
Our compliance guide to the NIS Regulations provides essential information and guidance for UK organisations in line with the approaches of the UK government and National Cyber Security Centre (NCSC).