This article has been submitted by Greenaway Scott
The Cybersecurity Directive (also known as the National and Information Security Directive or NIS Directive) was adopted on July 6th 2016 and took effect in August 2016.
From August 2016 EU Member States had 21 months to integrate its requirement into their national laws. The Directive was adopted and published by the UK on 9th May 2018 and the measures were put in force from 10th May 2018.
The purpose of the Directive is to ensure the security of the IT systems on which data may be processed. The Directive was proposed following the realisation of the seriousness of a cybersecurity incident.
The Cybersecurity Directive sets requirements on network and information securities including a number of requirements around incident response and implementation of technical security measures based on risk. The aim is to improve cross border cooperation in information and network security and foster a culture of risk management.
The Directive applies to operators of essential services (including transport, health and energy) and also to digital service providers (such as online marketplaces, search engines and cloud services.
Operators of essential services are known as OESs and digital service providers are known as DSPs. Originally banking and financial infrastructure was to be included within the definition of an OES, however, these sectors were omitted as equivalent procedures were already in place in these areas.
The Directive applies to OESs and DSPs that are established in the EU and provide services to those based in the EU. DSPs that are based outside of the EU but are providing a service to those within the EU are required to appoint an EU-based representative to act on their behalf to ensure compliance with the Directive.
OESs include energy, transport, health, drinking water supply and distribution and digital infrastructure. OESs that satisfy the threshold criteria must notify the designated competent authority that they are an OES before 10th August 2018. The threshold criteria for each subsector is set out in schedule 2 of the Directive.
The competent authority also has the ability to declare an OES if certain conditions are met and that the company is likely to have significant disruptive effects on the provision of essential services.
OESs are responsible for ensuring that the relevant security requirements are met throughout the supply chain. This can be achieved through contractual arrangements including clauses relating to auditing and compliance. However, guidance states that each supplier/contract will require different levels of protection based on the level of risk associated with them, therefore it is not a one size fits all situation.
DSPs include online marketplaces, online search engines and cloud computing services. The ICO is designated as the national competent authority for the relevant DSPs which are known as RDSPs. A RDSP is defined as being a person who provides a digital service in the UK that has a head office in the UK and is not a small or micro enterprise. A small enterprise is defined as an enterprise that holds fewer than 50 employees and has less than €10 million euro annual turnover. A micro enterprise is an enterprise which employs fewer than 10 people and has an annual turnover of less than €2 million. A DSP must notify the designated competent authority that they are a DSP before 1st November 2018
Penalties for non-compliance must be effective, proportionate and dissuasive. The UK penalty can be up to £17,000,000.
To ensure compliance with the Directive organisations that fall within the scope should ensure that they contact the relevant authority before the required date. A Computer Security Incident Response Team (CSIRTs) will be created in each member state and those caught by the Directive should contact the CSIRT to obtain information to prepare themselves for security threats and current cybersecurity issues.
A range of security measures should be implemented and conduct risk assessments regularly to mitigate any identified risks. Processes should also be implemented to deal with any security incidents.
If you would like advice on the Cybersecurity Directive and the effect it may have on your commercial contracts please contact the Commercial team by emailing [email protected]