The Security of Network Information Systems (NIS) Directive, which aims to ensure that critical infrastructure firms such as those in the health, water, energy, transport and digital infrastructure sectors are protected from cyber-attacks and computer network failure, has come into force today.
The first steps to ensure smooth implementation of the NIS Directive in the UK were taken in August last year by the Department for Digital, Culture, Media, and Sport. The Department had then stated that the new Directive would allow critical infrastructure firms in the UK to assess cyber-threats and to implement robust safeguards to avoid breaches or outages.
As per the new law, critical infrastructure firms that fail to report breaches and network outages to regulators within 72 hours could face fines of up to £17 million. However, such fines would always be a last resort and would not apply to firms that have carried out risk assessments, taken appropriate security measures and engaged with regulators and the National Cyber Security Centre to defend against cyber-attacks.
"It's vital that we put in place tough new measures to strengthen the UK's cyber-security and make sure we are the safest place in the world to live and be online. Organisations must act now to make sure that they are primed and ready to stop potential cyber-attacks and be resilient against major disruption to the services we all rely on," said Margot James, Minister for digital and the creative Industries.
In order to ensure that critical infrastructure firms in the UK are better prepared to defend against cyber-attacks and to avoid fines in the future, the NCSC published detailed guidance for such firms in January in order to provide "clear advice on what organisations need to do to implement essential cyber-security measures".
"These new measures will help to strengthen the security of the UK's infrastructure. By acting on the National Cyber Security Centre's expert technical advice and reporting incidents, organisations can protect themselves against those who would do us harm," said Ciaran Martin, chief executive of the NCSC.
The NCSC would also provide regular support and advise to critical infrastructure firms while acting as the Single Point of Contact between the UK and EU Member States.
Commenting on the implementation of the new Directive, Greg Day, vice president & CSO EMEA at Palo Alto Networks told SC Magazine UK that all “operators of essential services” are now required by law to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations.
"These measures must have regard to the state of the art, and ensure a level of security appropriate to the risk posed. The NIS Directive also includes specific language focusing on the requirement to prevent incidents, the aim being to ensure the resilience of these services," he said.
Adding that the UK government wants to encourage a collaborative and proactive approach between organisations and their competent authority, he said that operators of essential services will work directly in most cases with their current regulatory authority while getting guidance from the NCSC at the same time.
He said that while GDPR is focused on the protection of personal data of people in the EU, the NIS Directive is focussed on ensuring those services with a technology dependency and which are key to the functioning of society, remain resilient to cyber-attacks.
"While the laws are not related, I think NIS has been very overshadowed by GDPR, and many UK companies are still waking up to the fact they must comply with NIS. GDPR has and is getting lots of attention, yet awareness of NIS seems to be comparatively low. The NIS Directive should be seen as a positive opportunity to drive change," he added.
Charlie Wedin, cyber security expert at the international legal practice Osborne Clarke, emailed SC Media UK to agree saying: "....operators of essential services must ensure they are prepared to deal with both regulations. With a risk of "double jeopardy" under GDPR and NIS – in the event that a business suffers a cyber-incident which impacts personal data and essential services – businesses need to carry out a holistic evaluation of their technical and organisational measures to ensure the security of their networks and information. They should also test their security measures with realistic "war game" simulations to proactively identify and rectify potential weaknesses.”