With all the hype surrounding the General Data Protection Regulation (GDPR) you may have missed the equally important Security of Network and Information Systems (NIS) Directive, which aims to protect the economy and society from IT failures including the risk from cyber-attack.
Security of Network and Information Systems Directive (NIS)
Whilst GDPR aims to protect how data is handled and used, the purpose of the NIS concerns essential services and their reliance on digital systems. Businesses subject to this additional EU regulation include suppliers in:
- Financial markets
- Drinking water supply
- Digital infrastructure.
From May 2018, UK operators of these critical services will need to prove that they have robust protocols in place for the management of their networks and information and the necessary measures to ensure business continuity in the event of an IT systems disaster. Those failing to meet the requirements face regulatory fines up to 4% of global annual turnover or €20m, whichever is the greatest.
Digital service providers (DSPs) covering online marketplaces, search engines and cloud computing will also be held to a lighter touch version of the rules where turnover exceeds €10m and there’s a workforce above fifty employees.
These penalties will stand alongside those associated with GDPR and any other regulatory bodies such as FCA, indicating the potential cost of any future security breach in fines alone.
Commenting on the current state of change within EU and UK regulation, Information Commissioner, Elizabeth Denham recently said: “The law is not about fines. It’s about putting the consumer and citizens first.” However, the threat of large financial penalties cannot be ignored.
Lessons from the not so distant past
As it stands, EU member states have until 9th May 2018 to transfer the NIS into domestic legislation. Like GDPR, the UK has committed to enforcing the rule despite Brexit.
In the Government’s consultation, which closes on 30th September 2017, it describes how technology, data and networks need to be secured in order to protect businesses, citizens and public services.
The recent cyber-attack on the NHS serves as a stark reminder of how critical public services can be crippled by an IT disaster. The WannaCry ransomware virus prevented medical staff from accessing patient records for several days across multiple trusts. Likewise, the power outage at British Airways ground operations to a halt for 75,000 passengers. It is this kind of disruption which the new directive aims to prevent.
Sam Reed, Chief Technology Officer at Air-IT says:
There is growing concern politically in the number of businesses who are not yet addressing the issues of cyber security and business continuity. Businesses are built on confidence and regulations such as the GDPR and NIS will ensure this remains the case moving forward.
Preparing for change
Those subject to the NIS should review their current systems and set up. This will also help achieve GDPR compliance which comes into effect at a similar time.
The Information Commissioner’s Office (ICO) has published guidance specifically to help businesses prepare ahead of GDPR enforcement.
More details can be found here:Preparing for the GDPR - 12 Steps
FREE Cyber Security Resilience and GDPR Workshop
Alternatively, you can find out more about the latest cyber threats and preparing for GDPR at our FREE Cyber Security Resilience and GDPR Readiness event.
Taking place on Tuesday 26th September at Notts County FC, we will be bringing together leading experts from the East Midlands Special Operations Unit, leading law firm Browne Jacobson and Government backed accreditation provider, the IASME Consortium.
There will also be a live ransomware infection, performed by Datto – an industry leading backup and disaster recovery solutions provider – and Air-IT’s cyber security expert, Sam Reed covering what your business needs to know and do.
For more information and to book, please visit the event page today:Cyber Security Resilience and GDPR Readiness – Book Here