CALLUM SINCLAIR
THE large-scale WannaCry and NotPetya ransomware cyber attacks on the NHS (and others) raised the stakes for cybersecurity enormously. They brought home the fact that such attacks can affect us in the most fundamental ways – by closing doctors’ surgeries or forcing hospitals to cancel operations.
So how can so-called “critical infrastructure” be better-prepared to deal with threats like this? How can we stop attacks on IT infrastructure triggering power failures or, as was suggested last week, potentially even setting off a nuclear missile?
In the UK, a consultation on The Directive on Security of Network and Information Systems (NIS Directive) took place last autumn to try to start answering these questions.
The NIS Directive will introduce security measures and incident reporting obligations for “operators of essential services”. As well as health and energy, this would include transport networks, water suppliers and distributors, and banking and financial infrastructure - although the latter are likely to benefit from certain exemptions. NIS also regulates digital service providers (DSPs), such as online marketplaces, cloud computing providers and search engine operators.
Each EU country is responsible for identifying companies that should be subject to the new rules. Businesses operating in a critical category and on the list must take appropriate security measures and notify the relevant national authority (the Information Commissioner’s Office in the UK) within 72 hours of becoming aware of a significant incident.
There are exemptions, including DSPs with fewer than 50 employees and an annual balance sheet under €10 million. Another exemption is likely to apply to banking and financial services where current requirements might exceed what is required under the Directive. Where this is the case, firms will be exempt, if provisions at least equivalent to those specified in the Directive already exist by the time it comes into force. However, firms and financial market infrastructures must continue to adhere to requirements and standards set by the Bank of England and Financial Conduct Authority.
The UK Government has not yet issued a formal response to the consultation, which has been quickly followed by another, ending on 13th February. This looks specifically at how the European Commission should reform ENISA (the EU Cybersecurity Agency) and establish a framework to govern European cyber security.
After the second consultation closes, the UK Government has less than three months (until 9th May) to implement the NIS Directive.
Given the tight timescales, and the prospect of sanctions for operators of essential services and DSPs who don’t comply, businesses must be ready. If they are uncertain how NIS might affect them, taking advice on implementation, readiness and compliance should be high on the agenda.
Businesses could face the same maximum penalties as they will for failing to implement the much-discussed General Data Protection Regulation (20 million Euros or 4 per cent of global annual turnover, whichever is higher) – so it is vital for those affected to consider the NIS Directive alongside GDPR. A failure to do so could be damaging – for business, wider cyber-security and public confidence.
Callum Sinclair is a Partner and Head of the Technology Sector at Burness Paull LLP.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article