The time is near when the UK must identify the “operators of essential services” (OES) established in its territory for the purpose of complying with the Directive on security of network and information systems (EU NIS Directive 2016/1148). I have to grant that NIS is not at first reading a particularly newsworthy topic for the majority of people, It is certainly one that has been largely overlooked by the traditional media and bloggers in favour of GDPR – however, I suspect that this will change when the impact of the Directive is felt.
What is NIS intended to achieve? - Who benefits?
To quote from the UK Government’s Impact Assessment conducted in May 2016, “The main benefits to the UK economy are expected to be a reduction in the number of network outages caused by cyber-attacks and their impact, as improved security measures and incident response plans are put in place. Businesses also may benefit from reduced breaches or attacks that are below the Directive thresholds. International cooperation and information sharing is also expected to improve advice and incident response for firms.” - It’s worth reflecting that this Impact Assessment was made a year before the WannaCry global cyber-attack, which demonstrated on a grand scale the social as well as monetary impact that the growing cyberwar can have on communities.
I think it's fair to say that Government attitudes are hardening towards Operators who regard cyber security as a low priority when delivering the UK's essential services.
What are the NIS ‘four objectives’?
There are four top-level objectives, which NIS will achieve through the implementation of a set of 14 common security principles. Each principle defines a set of mandatory security outcomes. The directive will require certain types of ‘essential service providers to demonstrate the effective use of security policies and measures.
Objective A. Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
A.2 Risk management
A.3 Asset management
A.4 Supply chain
Objective B. Proportionate security measures in place to protect essential services and systems from cyber attack
B.1 Service protection policies and processes
B.2 Identity and access control
B.3 Data security
B.4 System security
B.5 Resilient networks and systems
B.6 Staff awareness and training
Objective C. Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services
C.1 Security monitoring
C.2 Anomaly detection
Objective D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary
D.1 Response and recovery planning
How will organisations within scope be impacted?
The NIS approach, bold though it is in comparison to the current state of EU cyber readiness, is intended to achieve only minimum capacity building and planning requirements, the exchange of information, and coordination of actions as well as common security requirements for all market operators concerned. This it is thought will improve their ability to respond effectively to challenges of the security of network and information systems. NIS will introduce significant financial penalties when incidents occur (see below). This fact may well come as a shock to the risk managers and C-suite managers alike. The timetable for compliance is also likely to seem brisk. Member States have until 9 May 2018 to transpose the Directive into domestic legislation, so it will come into force at about the same time as the General Data Protection Regulation. With the current focus in the media (mainstream and social) on the GDPR, it has been understandably easy in recent months to simply ignore NIS. However, as the Government begins to select companies for the 'operators of essential services' list, NIS may well raise a few troubled eyebrows in Boardrooms.
Although Governments and large enterprises have already done much to improve cyber resilience for essential services, NIS will require a focus on the protection of digital systems supporting essential services and the ability to detect and respond to incidents. Let’s be clear, this is NOT the General Data Protection Regulation (GDPR), however, the fines, although not yet enshrined in the UK law, are likely to be equally eye-watering. Given the theoretically high impact of a loss of an essential service, including possible loss of life (not all services) or major economic loss to associated industry or regions, the UK Government believes that NIS needs to, in their own words, “set a high bar for the maximum level of penalty”. It has therefore proposed to adopt an approach for the penalty regime similar to that of the General Data Protection Regulation (GDPR). This will “provide consistency in the Government’s regulatory approach towards overall cyber security”. When you realise that Operators will be going from low/zero risk of a statutory fine to a possible €20m or 4% of turnover fine under NIS, you can feel the sea-change that this new law represents.
Penalty Regime (read: Large Fines)
If the UK Government’s advice in the Consultation document is followed and enacted in subsequent legislation, there will be two bands of penalties under NIS Directive:
● Band one - set at a maximum €10m or 2% of global turnover - for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority.
● Band two - set at a maximum of €20m or 4% (whichever is greater) - for failure to implement appropriate and proportionate security measures.
Have I got your attention now?
What does NIS classify as an ‘essential service’?
So called ‘Operators’ in the sectors within the scope of the Directive are identified as providing an essential service if they meet the following criteria:
• an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
• the provision of that service depends on network and information systems; and
• an incident would have significant disruptive effects on the provision of that service.
Are Digital Service Providers essential services?
The definition of digital service providers covered by the Directive has changed since the UK Government’s Impact Assessment carried out in 2013. Broadly speaking, it now covers search engines, online marketplaces, and cloud service providers. For all types of digital service provider only those businesses with 50 or more employees and a minimum of £10 million turnover are included, with all micro and small businesses excluded. There are, it seems, currently no search engines based in the UK that would be the subject of the Directive. Online marketplaces are defined in point (a) and in point (b) of Article 4(1) of Directive 2013/11/EU of the European Parliament and of the Council (1). The online marketplace in this context exists is a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and service. Online marketplaces are only in scope if sales are made on the platform itself. Sites that redirect users to other services to make the final transaction (e.g. some price comparison sites) are not in scope. Sites that only sell directly to consumers are not in scope (e.g. online retailers). Only two UK marketplaces that are likely to be the subject of the Directive with others such as Amazon, eBay and Etsy being based in other countries.
'Cloud computing service’ means a digital service that enables access to a scalable and elastic pool of shareable computing resources. The UK Government's Impact Assessment published in May 2016 identified a total of 169 business to business cloud services headquartered in the UK that meet the size definition requirements. Table 1: Sectors within scope and essential services provided (page 7) and Digital Service Providers (pages 9 and 10) make interesting reading for UK technology players.
“Cloud services can be broken down into one of three categories, those that provide infrastructure, platforms, or software as a service (SaaS). For SaaS operators, only business to business service providers will be included, and entertainment providers (such as Netflix or online games) will be excluded. While no estimates are available of the number of businesses that operate in these categories we have obtained data that provides our best estimate. This shows that there are 129 businesses providing SaaS that meet the size definition and are headquartered in the UK. A further keyword search was conducted for “cloud” to identify other businesses with this in their description of services offered which identified a further 40 unique records. This gives a total of 169 businesses headquartered in the UK, with 50 or more employees and a turnover of £10m or greater. It has not been possible to refine this figure further.” [Source: Network Information Security Directive, Impact Assessment (IA), Department for Culture, Media and Sport; Date: 16/05/2016; page 10].
What other service operators are likely to be in scope by the end of 2018, - and will your business be of of those affected?
Read the next instalment of this blog series to find out. Plus, learn how to define an Incident and how you should respond.
# # #
Learn more about Cyber Threat Hunting here:
Need expert help now? Talk to our Cyber Threat Hunting team in confidence on
+44 (0)1763 285 510
Learn more about planning effective Cyber Security Incident Response using the CREST Model here: