Sergej Khackimullin - Fotolia

What the EU’s cyber security bill means for UK industry

Coming European legislation on network and information security could have cost and organisational implications for a range of UK companies

From last year’s TalkTalk hacks through to the recent attack on Ukrainian power systems, we are witnessing how network breaches are having real-world repercussions. It is no longer a case of whether a company will be hacked, but when.

The EU is renowned for championing user privacy, but has lagged behind the US when it comes to network security. Despite the interconnected world we live in, there has never been any EU legislation to address this issue – until now.

The Network and Information Security (NIS) Directive was proposed in March 2014 as part of the European Union’s cyber security strategy, which was created to enhance data security throughout member states. The directive is intended to foster co-operation between EU nations while legislating expected security requirements for all essential services.

“A breach can happen at any time,” says Matthias Maier, security evangelist for Splunk. “We have seen in the past that having the right strategy in place significantly improves the rate at which a company recovers.”

After the European Parliament and the European Council reached an agreement on the Commission’s proposal on 7 December 2015, the draft proposal for the NIS Directive was published 11 days later. On 14 January 2016, the EU’s Internal Market Committee voted to support the political agreement.

The NIS Directive is designed to provide a high-level network and information security throughout EU member states, not just against network breaches by hackers, but also against technical failures and natural disasters.

One of the key issues the directive is seeking to overcome is that networks are not bound by geography and nationality. In the event of a critical network problem, a “greater level of co-operation is intended to smooth out the friction,” says Matt Warman, a member of the UK government’s Science and Technology Committee.

“Friction is a mixture of the lag in communication, but also when you have very different policies taken because of different legislation,” he says.

The NIS Directive can be broadly subdivided into four areas:

  • Adoption of a national NIS strategy – a framework that provides strategic objectives and priorities on information security at national level.
  • Formation of competent authorities to provide cross-border support and strategic co-operation between member states.
  • Development of computer security incident response teams (CSIRTs) for effective operational co-operation.
  • Establishing security and notification requirements for operators of essential services, as well as digital service providers.

While most of the directive operates at a government policy level, it is this final point that will have the biggest impact on UK industry.

The draft proposal states in Section 1 of Article 14: “Member states shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations.”

Companies affected by this legislation are those defined as being “providers of essential services”. This broad definition includes any company whose operation is critical for any of these industries:

  • Energy (electricity, oil and gas).
  • Transport (road, rail, air and water).
  • Banking.
  • Financial market infrastructures.
  • Health sector (public and private).
  • Drinking water supply and distribution.
  • Digital infrastructure (internet exchange points, domain name system (DNS) service providers and top-level domain name registries).

Not only must essential service companies manage the risks posed to their networks, but they must also ensure that the appropriate measures have been taken to prevent attacks and minimise the potential for any attacks to succeed.

When recommending what security protocols should be used, the proposed directive states only that they should be “state of the art”. It does not recommend any appropriate measures, such as two-factor authentication or encryption. Because of the ever-evolving nature of technology, specifying certain methods could render the directive obsolete within a matter of years.

Companies will also be compelled to report incidents of “significant disruptive effect”, which are determined by the number of users affected by the disruption, the duration of the incident, the geographical spread of the incident and the extent of the disruption.

Relevant information

Notifications would be expected to include all relevant information about the incident, enabling the competent authority or CSIRT to determine the cross-border impact of the incident. The notification will not expose the company to any increased liability, but there will be penalties if a company is later found to have knowingly failed to submit the notification.

Some companies may not want to reveal that their security has been compromised, because this could damage brand image. However, they face a greater loss of reputation, as well as a fine, if they are later found not to have declared a breach.

Companies that are not deemed as providing essential services may still voluntarily report incidents that have significant impacts on the continuity of the services they provide. This voluntary notification will not result in the firm being subject to any of the other obligations of the directive.

Tom Thackray, acting CBI director for competitive markets, says: “Adopting effective cyber security is fundamental to the success of the digital economy, and all businesses need to ensure that they are assessing their cyber risk and taking robust protective action to safeguard their finances, intellectual property, customer data and brand.

“However, mandated action or reporting could be premature. Businesses must be allowed to manage their own risk and investment decisions when it comes to cyber security – and many already are.”

Digital service providers

The directive also stipulates that companies that come under the heading of “digital service providers” – those that offer online market places, search engines or computer services – will similarly need to ensure they “identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems that they use”.

This legislation will also apply to third-party companies that provide essential digital services that are deemed crucial to the continued operation of an essential services provider. Any events that affect the continued provision of the essential services are to be announced. However, the responsibility for this lies with the operator of the essential service in question.

Operators of essential services and digital service providers will also be subject to audits by the competent authority to ensure their network and information systems meet the minimum security requirements. The competent authority will have the power to issue “binding instructions to the operators of essential services to remedy their operations”.

Larger companies will already have many of the systems required by the proposed NIS Directive in place. BT, for example, is confident that the directive will have little to no effect on its operations.

“We already have a global CERT [computer emergency response team] which has been operating for some time and is growing,” said a BT spokesperson.

Security protocols

However, smaller companies that have, until now, not needed wide-ranging security protocols may be required to do so to comply with the directive.

Alexander Moiseev, managing director Europe at Kaspersky Lab, says: “Costs will vary from company to company, depending on the measures already in place, such as reporting, staff and development of a cyber security strategy.”

Costs will vary from company to company, depending on the measures already in place, such as reporting, staff and development of a cyber security strategy
Alexander Moiseev, Kaspersky Lab

But these short-term costs could lead to long-term gains. “In the long run, this will save time and money,” says Moiseev. “These precautions will help mitigate enormous cyber security risks, including interruption of digital services and even physical damage to critical infrastructure.” The biggest benefit comes from stopping incidents before they happen, he adds.

The next two months will see a lawyer-linguist check to ensure the language of the directive is correct, but will not involve any change of technicalities. After that, the European Council has to adopt the final text, followed by the European Parliament, which will be a formality.

National legislation

Once both co-legislators have formally agreed, the final text of the directive will be published in the Official Journal of the European Union. From then, member states will be expected to have the directive entered into national legislation within 21 months, with a further six months to identify the operators of their essential services.

“Many of the requirements in the directive already exist in UK law,” says the CBI’s Thackray, “so implementation should be reasonably straightforward.”

The directive is expected to come into force by mid-2018. By then, all companies that come under the purview of the directive will be expected to be fully compliant.

With the number of malicious attacks increasing, the NIS Directive is intended to compel companies to reinforce their systems by setting a high common level of network security.

“We believe companies should take it upon themselves to develop and implement clear cyber security and resilience strategies to increase information security,” says Kaspersky Lab’s Moiseev. “Just being compliant is not sufficient to tackle the diverse range of risks in the cyber-threat landscape today.”

Read more on Privacy and data protection