The U.K. government confirmed in its Cyber Security Regulation and Incentives Review published in December that the EU’s Network and Information Security (NIS) Directive will be implemented in the U.K.
In light of the U.K.’s vote to leave the EU there was speculation about the government’s intention to implement the NIS, however, the Review provides clarity around the U.K.’s implementation plans.
The NIS Directive will have to be implemented into national law by 9 May 2018.
The Directive will impose obligations on the providers of ‘essential services’ and ‘digital service providers’ (DSPs) to take appropriate measures to ensure the security of their network and information systems and manage the impact of cyber ‘incidents’ so as to minimise any interruption to services.
Such organisations will, moreover, be required to notify such incidents (not merely personal data breaches, as in the case of the General Data Protection Regulation (GDPR)) to the national competent authority or computer security incident response teams without undue delay – in the case of DSPs if the incident is likely to have a ‘substantial’ impact on the provision of the digital services in question (and in the case of essential services if it is likely to significantly impact the continuity of the essential services).
When an essential service provider relies upon a DSP for the provision of its services, the obligation to notify such incidents will remain with the former (so it will be important to ensure DSP contracts require the DSP to inform the essential service provider).
Each member state will have to identify, by list, the providers of services it considers to be ‘essential’ but the categories will include digital infrastructure providers such as those providing ‘internet exchange points’ (network facilities enabling exchanges of internet traffic between several autonomous systems), domain name system providers and top-level domain registries.
DSPs are not subject to national flexibility in identification: they will include ‘online market-places’, online search engines and cloud service providers. App stores will be considered to be DSPs, whereas price-comparison sites, computer hardware manufacturers and software developers will not.
A crucial distinction between the NIS and the GDPR –touched on above- is that the directive’s notification obligations extend beyond personal data breaches to cover cyber incidents, including outages affecting the provision or continuity of services.
In the same way as the GDPR is understandably expected to increase demand for data protection insurance, so the NIS Directive is likely to drive TMT companies’ appetitie for other cyber insurance covers.
The US experience has shown us notification requirements resulting in cyber incidents entering the public domain are likely to increase the volume of third party claims.
Willis Towers Watson’s 2016 TMT Risk Index identified the major trends affecting the TMT sectorn are, first, regulation and legal risks (of which data protection regulation ranked first, then multimedia liability and anti-trust law), followed by cyber-attacks.
TMT boardrooms are right to see regulation as a mega-trend affecting their sector, but they should look beyond the well-publicised GDPR to the NIS Directive.
Jamie Monck-Mason is the Executive Director of Cyber and TMT at Willis Towers Watson. Jamie has a particular specialism in Cyber and Technology E&O wordings, related coverage issues and claims. He has drafted a successful suite of UK Cyber and Technology policies for US insurers. He therefore brings to the team a legal expertise to reinforce their already formidable technical capability.