The Network and Information Systems (NIS) Directive has come into force in the UK; the European Union rule like the GDPR is coming in regardless of Brexit. The UK Government says it’s to protect the nation’s critical infrastructure and digital services from cyber attacks and computer network failure, whether caused by malice, hardware failures or even the weather. According to official guidance, the NIS ‘will significantly expand the scope of cyber security regulation in the UK’.
Firms as ‘Operators of Essential Services’ – in healthcare, water, energy, transport and digital infrastructure – will now be expected to have safeguards in place against cyber threats; and report breaches and network outages to regulators within 72 hours or they face fines – of up to £17m.
The National Cyber Security Centre (NCSC), set up by the Government in October 2016 as part of GCHQ based in Cheltenham, has already responded to more than 950 ‘significant’ incidents, including WannaCry.
How the regulators of the NIS – the ‘competent authorities’, NIS CAs – will work with the NCSC has not been worked out yet. The NCSC does say that there ‘will be strong restrictions on the type of cyber security information that NCSC shares with the CAs, and those restrictions will be designed to address concerns about how information considered sensitive by industry and other organisations is handled’.
Margot James, Minister for Digital and the Creative Industries at DCMG (Department for Digital, Culture, Media and Sport), said: “It’s vital that we put in place tough new measures to strengthen the UK’s cyber security and make sure we are the safest place in the world to live and be online. Organisations must act now to make sure that they are primed and ready to stop potential cyber attacks and be resilient against major disruption to the services we all rely on.”
The DCMG says fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack. Incidents must be reported to the appropriate regulator. Where an incident has a cyber security aspect, organisations should contact the NCSC for support and advice. The NCSC will also act as the point of contact between the UK and EU countries.
As the UK’s technical authority on cyber security, the NCSC is supporting competent authorities and has developed a set of 14 cyber security principles, as well as supporting guidance. Ciaran Martin, Chief Executive of the NCSC, said: “These new measures will help to strengthen the security of the UK’s infrastructure. By acting on the National Cyber Security Centre’s expert technical advice and reporting incidents, organisations can protect themselves against those who would do us harm. The UK government is committed to making the UK the safest place to live and do business online, but we can’t do this alone. Every citizen, business and organisation must play their part.”
Comment
Rob Norris, VP head of enterprise and cyber security EMEIA at Fujitsu, said: “In light of recent attacks, it’s promising to see new Government measures put in place to protect the nation’s critical infrastructure and digital services from cyber-attacks. With our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, the nation has an obligation to make data protection as much of a priority as the public, who are regularly asked to hand over financial and other personal data.
“For the majority of organisations, cybersecurity is a priority but the reality is that many still struggle to put in place the right measures in place to safeguard employees, customers and the broader business. Companies should not only be concerned with protecting their data, but the entire operation of a company itself. As we have seen in the past year, cyber-attacks can set out to completely paralyse organisations at a national and international scale, creating havoc, and resulting in a complete shutdown of services.
“Because even the best-run company could suffer from a hack or data breach, we as a nation, must remain on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen. After all, cybercrime is not a probability, it is an inevitability. It will be the way in which UK organisations prepares for it, however, that can make all the difference.”
