Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Security of Network and Information Systems Directive

Published byFelicia Williamson Modified over 6 years ago

Similar presentations

Presentation on theme: "The Security of Network and Information Systems Directive"— Presentation transcript:

1 The Security of Network and Information Systems Directive
Public Consultation

2 What is the NIS Directive?
The Directive on Security of Network and Information Systems (‘the NIS Directive’) was adopted by the European Parliament in July 2016 and represents the first EU-wide legislation on cyber security. Requires designated essential service operators to implement security measures to manage the risks to the network and information systems used to deliver essential services, and to report incidents affecting the continuity of such services. Similar but lighter requirements will be placed on certain Digital Service Providers Member States have until 9 May 2018 to implement the NIS Directive.

3 Who is in scope? Essential Services in the following sectors:
Water, Energy, Transport, Health, Digital Infrastructure (TLDs, IXPs, DNS) Banking and Finance excluded under UK proposals (similar legislation already applies in the UK). The civil nuclear sector is also not in scope. Digital Service Providers Online Marketplaces, Search Engines, Cloud Service Providers (with 50 or more staff and/or a turnover of €10m a year) IXPs = Internet Exchange Points, DNS = Domain Name Services, TLD = Top Level Domain

4 Public consultation The Government welcomes views from industry on the implementation proposals set out in the consultation document. Important we get these right. Cyber security threat is increasing for businesses across the economy. It is especially important that our essential services operators effectively manage the risks to their network and information systems. Loss of an essential service or Digital Service Provider would likely have a significant disruptive effect for both individual businesses and UK plc as a whole. Want to find the correct balance between safeguarding the security of our essential services and digital service providers, whilst avoiding undue burdens on business.

5 Public consultation (cont.)
UK Government (DCMS) launched a public consultation on 8 August, setting out the proposed approach to implementation of the NIS Directive. The consultation closes on 30 September, and covers all aspects of implementation: Essential Services and Identification Thresholds National Framework Security Requirements Incident Reporting Digital Service Providers Penalties

6 What about the EU referendum result?
Cyber security remains a top priority for the Government. It is important to safeguard the network and information security of our essential services, irrespective of EU Membership. It is therefore the UK Government’s intention to keep the framework established by the NIS Directive, and the associated legislative requirements, after the UK has left the EU.

7 NIS - the detail There are six key aspects of implementation on which we are seeking your views. However, in this presentation we will be focusing only on two: Digital Service Providers Penalties

8 Digital Service Providers (Definitions)
Online marketplaces - a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and services. Online search engines -a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found. Cloud computing services - any company that offers: ‘Infrastructure as a Service’ (IaaS); ‘Platform as a Service’ (PaaS); Business to Business ‘Software as as Service’ (SaaS). Can share ENISA’s draft thinking. Entertainment DSPs out of scope for UK.

9 Digital Service Providers (Definitions)
Our aim is to: Make it clear for companies whether they are in scope or not Only incorporates companies where a service failure would negatively impact on other businesses Want to work with you to improve the definitions. Need to be workable and legally enforceable Can share ENISA’s draft thinking.

10 Digital Service Providers (Definitions)
Question: Are Digital Service Providers easily able to identify themselves using these criteria? Question: Would using these definitions create any unfair competitive advantage or disadvantage for Digital Service Providers within scope? Can share ENISA’s draft thinking.

11 Digital Service Providers (Security Measures)
DSPs must identify, and take appropriate and proportionate technical and organisational measures, to manage the risks posed to their security of network and information systems. Propose to follow a principles and guidance approach to security measures for Digital Service Providers, with the guidance closely linked to that provided by the European Network and Information Security Agency (ENISA). Compliance with European guidelines will be a requirement for access to the Single Market, therefore the Government will aim to ensure that the UK’s guidance is a close to ENISA’s guidance as possible. EU Act setting exact provisions for DSPs not yet published. Expect first draft any time now.

12 Digital Service Providers (Security Measures)
proportionate security measures in place to protect services and systems from cyber-attack or systems failure; appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage incidents; capabilities to minimise the impacts of a cyber security incidents on the delivery of services including the restoration of those services; capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, services; measures in place are, where possible, compatible or comparable to internationally recognised cyber security standards.

13 Digital Service Providers (Security Measures)
Question: Are these principles reasonable? Question: If NO, Why Not? Can you suggest revised principles that would enable important incidents to be reported? Question: What would be the impact on your business in applying these principles? Question: Do you have an alternative preferred approach?

14 Digital Service Providers (Incident Reporting)
The Government is proposing that companies must report an incident “without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of it.” Question: Would this incident reporting timeframe place an undue burden on your business or operations? Question: Do you wish to take part in the proposed targeted consultation exercise once the security and incident reporting thresholds have become clearer? Targeted consultation to take place once we know once the details of what the EU are proposing in their Act are clearer.

15 Penalties Penalties provided for in national legislation should be effective, proportionate and dissuasive. Given the potential high impact of a loss of an ‘essential service’, including possible loss of life and/or major economic loss to an associated industry or region, the Government believes the NIS Directive should set a high bar for the maximum level of penalty. Therefore propose to adopt the same penalty regime being implemented for the General Data Protection Regulation (GDPR), which has been widely recognised as a likely effective regime. This will also provide consistency in the Government’s regulatory approach towards overall cyber security.

16 Penalties (cont.) The Government proposes to have two bands of penalties under the NIS Directive: Band one - set at a maximum €10m or 2% of global turnover - for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority. Band two - set at a maximum of €20m or 4% (whichever is greater) - for failure to implement appropriate and proportionate security measures.

17 Penalties (cont.) Question: Do you consider the proposed penalty regime to be proportionate to the risk of disruptions to operators of essential services? Question: Do you believe that the proposed penalty regime will achieve the outcome of ensuring operators take action to ensure they have the resources, skills, systems and processes in place to ensure the security of their network and information systems? Question: If you answered NO to either of these two questions, please explain how the penalty regime could be amended to address your concerns.

18 What next? Public consultation closes - 30 September 2017
Publish Government Response - November 2017 Publish Updated Impact Assessment - November 2017 Review draft legislation – September - December 2017 Parliamentary clearance & prepare guidance - Winter 2017 to Spring 2018 Comes into force - May 2018

19 Stuart Peters Head of EU Cyber Security Regulatory Policy 4th Floor, 100 Parliament Street, London SW1A 2BQ | ​6769​ | @dcms /dcmsgovuk |

Download ppt "The Security of Network and Information Systems Directive"

Similar presentations

The Agency for Cooperation of Energy Regulators (ACER) – UK Government views Sue Harrison Head of European Energy Markets 13 February 2008 EPP-ED Public.

The Agency for Cooperation of Energy Regulators (ACER) – UK Government views Sue Harrison Head of European Energy Markets 13 February 2008 EPP-ED Public.
Regulators’ Code July 2014. Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.
EU SME policy The “Small Business Act” for Europe and its Review

EU SME policy The “Small Business Act” for Europe and its Review
Enforcement of REACH in the UK Richard Hawkins Environment Agency

Enforcement of REACH in the UK Richard Hawkins Environment Agency
Options for Regulation and the Impact of Regulation on the Marketplace 29 November 2005 Alan Kent

Options for Regulation and the Impact of Regulation on the Marketplace 29 November 2005 Alan Kent
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.

1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
David Halldearn, ERGEG Conference on Implementing the 3 rd Package 11 th December 2008 Implementating the 3rd Package: An ERGEG Consultation paper.

David Halldearn, ERGEG Conference on Implementing the 3 rd Package 11 th December 2008 Implementating the 3rd Package: An ERGEG Consultation paper.
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.

COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
The New EMC Directive 2004/108/EC and the DTI transposition Brian Jones and Peter Howick.

The New EMC Directive 2004/108/EC and the DTI transposition Brian Jones and Peter Howick.
Peter Defranceschi ICLEI - Local Governments for Sustainability An Introduction European Commission GPP Training Toolkit.

Peter Defranceschi ICLEI - Local Governments for Sustainability An Introduction European Commission GPP Training Toolkit.
© Grant Thornton UK LLP. All rights reserved. Review of Partnership Working Vale of Glamorgan Council Final Report- July 2008.

© Grant Thornton UK LLP. All rights reserved. Review of Partnership Working Vale of Glamorgan Council Final Report- July 2008.
GLA REVIEW The Government’s Proposals for Additional Powers for the Mayor of London and London Assembly.

GLA REVIEW The Government’s Proposals for Additional Powers for the Mayor of London and London Assembly.
IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.

IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.
Isdefe ISXXXX-090000-1XX 5.10.2010 Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Health and Safety Executive Health and Safety Executive Competent Authority & Data Reporting HSE/DECC Consultation Events - Spring 2014 EU Offshore Directive.

Health and Safety Executive Health and Safety Executive Competent Authority & Data Reporting HSE/DECC Consultation Events - Spring 2014 EU Offshore Directive.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.1 Steps in the Licensing Process Geoff Vaughan University.

Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.1 Steps in the Licensing Process Geoff Vaughan University.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
FAQs about the new regulatory framework Lucy Rhodes

FAQs about the new regulatory framework Lucy Rhodes

Similar presentations

Ads by Google