Overview
Introduction
On January 19, 2022 the UK Department for Digital, Culture, Media & Sport (DCMS) commenced a public consultation on proposed changes to the UK Network & Information Systems Regulations 2018 (UK NIS).[1] The UK NIS implements EU Directive 2016/1148 (NIS 1).[2] The consultation reflects the United Kingdom (UK) attempt to catch up on the EU work (EU NIS 2) on the revision of NIS 1.
The EU NIS 2 was launched in 2020 and seeks to broaden the basis of those entities caught by the need to develop cyber resilience processes. EU NIS 2 is high on the agenda of the current French presidency of the Council of the EU and it is hoped that the dossier will be closed by mid-2022. The importance of this policy area comes in the context of reports suggesting that the French Ministry of Justice has recently been the victim of a ransomware attack.
The UK consultation is seeking feedback on the following three pillars:
- extending the scope of UK NIS to impose minimum security standards intended to prevent additional critical providers of digital services from failure, given interdependencies with essential sectors;
- give the government the ability to modify the scope and requirements of UK NIS quickly (through secondary legislation, rather than an Act of Parliament) to better respond to technological developments and future threats; and
- the implementation of standards for the cyber security profession.
This client advisory discusses the parallel track at the EU and UK levels to determine whether the UK (through its first pillar) is going for its own cyber resilience journey.
1. Scope
The DCMS proposes to add organizations that manage the responsibility of services such as network, infrastructure and security for its customers (called managed services providers (MSPs)) to the digital service provider (DSP) category.[3] It also creates a new category: critical sectoral dependencies, i.e., services that are essentials for certain operators of essential services (OES).[4] In addition, the government may incorporate additional (sub)-sectors within the scope of UK NIS, such as electric vehicles, data centers and manufacturing, should those become critical to provide essential services within the UK.
In contrast, the EU NIS 2 eliminates the distinction between OES[5] and DSP and replaces it with the concept of essential entities (EEs) and important entities (IEs).
How you fall within one or another is a function of: (i) the criticality of the sector; (ii) the type of services provided; and (iii) the size. Further, additional (sub-)sectors such as digital providers, manufacturing (pharmaceuticals, chemicals, electrical features, etc.), public administration and cloud infrastructures are added. All EEs and IEs must at least implement core risk management measures such as risk analysis policies, encryption and cryptography policies and supply chain security. Adequate and proportional technical and organizational measures must also be taken. The proportionally of the latter is assessed taking due account of “the degree of the entity’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity”. Thus, measures may be less stringent for IEs than for EEs.
Although the UK and the EU are working towards the same goal (improving cyber resilience of organizations), their proposed approaches differ. The UK wants flexibility and thus, only introduces the current necessary regulatory changes while keeping some leeway to further extend the scope of its framework according to its needs. While at the EU level, the focus is on streamlining the Member States’ approaches to cybersecurity by providing a minimum set of rules. Organizations that operate across both jurisdictions would likely hope that the UK and EU maintain a level of alignment between the sectors in scope (e.g. manufacturing) to limit complexity.
2. Supervision
Under the UK proposal, OES are subjected to an ex-ante[6] supervisory control, such as are a selected happy few of critical DSPs, i.e. those “that present the greatest systemic risk to the UK’s economic prosperity and national security”. They are designated by the ICO based on factors, such as: market reach; scale of services provided; and the criticality of the clients supplied. Other DSPs remain subject to an ex-post[7] supervisory’ control.
NIS 2 provides that EEs are subjected to an ex-ante supervision. It also details the minimum supervisory actions by which EEs must abide, including such as: inspections including random checks; regular and targeted security audits; security scans; and access requests. Member States keep the final responsibility on the enforcement side (using a risk-based approach); this may lead to fragmented approaches within the EU.
As regards the IEs, those may be exposed to ex-post supervisory measures “when provided with evidence or indication or information that an important entity is allegedly not in compliance” with its reporting obligations or the implementation of risk management requirements.
3. Reporting Obligations
In the UK, the current regime only requires the reporting of incidents that impact the provision of the service, excluding those that pose a significant risk to the security of network and information systems. The new measure, if adopted, adapts the incident reporting obligation to any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service.
EU NIS 2 sets out the same baseline reporting obligations for both EEs and IEs: all significant incidents must be reported to the relevant authority. An incident is considered significant when it (potentially) causes severe operational disruption of the service or financial losses for the entities concerned or affect other natural or legal persons by causing considerable material or non-material losses.
Entities will be required to notify the competent authority within 24 hours of becoming aware of the incident. A report must also be provided (with minimal content requirements). To avoid over-reporting, significant cyber threats will only need to be reported in the cases provided by Member States.
While at EU-level reporting obligations are likely to be streamlined, the UK is going in the direction of including a broader range of incidents.
4. Follow Developments, Have Your Say
Brexit has already had consequences for NIS-related compliance. DSPs that selected a representative in the UK were required to appoint an additional one within the EU to deal with the NIS 1 requirement. But the current journey of the UK and EU could cause more hurdles, red tape and bureaucracy to global organizations that will have to cope and implement processes and procedures to deal with two different sets of requirements. That’s money that could have been better spent on patching, testing and mapping IT infrastructures.
The consultation is open until April 10, 2022, and organizations are encouraged to make submissions. If you have questions on the proposed changes or would like assistance in preparing a response to the consultation, please contact one of the authors or your usual Steptoe contact. Let’s let the UK catch up to the EU train.
[1] A copy of the proposed legislation and consultation is available here.
[2] Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (EU NIS 1). NIS 1 aimed to increase cybersecurity in the EU and focused on specific sectors and, within such sectors, a limited number of actors. Member States kept some discretion in implementation, such as the actual identification of those operators that were to be considered as essential. This ultimately led to a scarce legislative landscape complex to understand for digital service providers and organizations from the energy, transportation, banking, financial market and infrastructures, health, drinking supply and distribution, and digital infrastructure sectors. The approach to digital services providers under NIS is different, as it applies to (all) organizations belonging to one of the following categories: (i) cloud computing service (e.g., IaaS, PaaS, SaaS); (ii) online marketplace and (iii) online search engines.
[3] See note 2 above.
[4] See note 2 above.
[5] Member States do not have to list operators that qualify as “essential” anymore. Rather, are now only excluded small caps (de minimis threshold), meaning that all medium and large companies within the relevant sectors now fall within the scope of NIS 2. Member States only determine whether NIS 2 applies to regional and local public administrations.
[6] An ex-ante supervisory regime means that supervisory actions are taken proactively by the supervisory authority.
[7] An ex-post supervisory regime means that supervisory action is taken when provided with evidence or indication that an entity does not meet the cybersecurity requirements.
