Implementation of EU NIS Directive: consultation response & NCSC guidance published

January 30, 2018

The Government has published its response to last year’s consultation on implementation of the EU NIS Directive.

The Directive comes into force on 9 May across the EU and compliance is mandatory for suppliers of essential services (as defined in Annex 1 of the Government’s consultation response – see below).

The Directive seeks to: 

  • Ensure that Member States have in place a national framework so that they are equipped to manage cyber security incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities.
  • Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents as well as sharing information about risks.
  • Ensure that organisations within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.

358 responses were received by the Department which resulted in changes to several of their original proposals including clarification of: 

  • the thresholds required to identify operators of essential services;
  • the role of the Competent Authority and how powers may be delegated to agencies;
  • that the role of the National Cyber Security Agency is limited to cyber security;
  • the expectations on operators within the first year or so; and
  • the definitions of Digital Service Providers

The maximum penalty for failure to comply with the Directive has also been reined in so that the maximum fine will be £17m. Originally the Government had proposed a maximum fine of £17m or 4% of revenue, whichever is greater, mirroring the GDPR regime.

Alongside the consultation response, the National Cyber Security Centre has published a collection of guidance documents to help providers of essential services prepare for implementation.

The Guidance is split into four broad sections:

1 – General Introduction

This sets out

  • what the NIS Directive covers and when will it be implemented 
  • who it applies to
  • the NCSC role in the implementation of the NIS Directive
  • how our guidance is intended to be used – the outcome based approach
  • the relationship between NCSC and Competent Authorities

2 – Top Level Objectives

The top level objectives are, sensibly enough: managing security risk, protecting against cyber attack:, detecting cyber security events and minimising the impact of cyber security incidents

3 – A Table View of Principles

Links to supplemental guidance and other sources, grouped by top level objective

4 – Detail of the Cyber Assessment Framework (due for publication in April 2018)

Describes the purpose of, and requirements for, the framework which aims to “be a systematic method” for assessing whether operators are meeting the required outcomes. 

An RSS feed is available so readers can keep up to date with future guidance and an index of all the guidance published by the NCSC is available here