In January, the UK government confirmed that it will be implementing the EU's Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the UK's implementation of the NIS Directive will be released in 2017.Protecting critical IT infrastructure
As reported in our previous blog, the NIS Directive aims to ensure that critical IT infrastructure in key sectors of the economy are secure from the ever-growing list of cybersecurity threats. The NIS Directive will apply to: (i) companies within "critical sectors" (e.g., banking, health care, energy and transport); and (ii) digital service providers (e.g., online marketplaces, search engines and cloud services).
Businesses that operate in one of the above two categories will be required to take appropriate security measures and to notify the relevant national authority in the event of a significant incident.
Red tape?
The UK government's current approach is to encourage organisations to manage their own risk in respect of data, rather than create more regulations and bureaucratic red tape.
In lieu of setting specific cybersecurity controls or making cybersecurity insurance mandatory, the government has been pointing out that investment in cybersecurity is in the best interests of businesses, and they should conduct self-assessments to ensure that their cybersecurity practices are up-to-date – especially in light of the incoming General Data Protection Regulation (GDPR) which comes into force 25 May 2018.
Businesses that fail to prepare in advance of May 2018 are most likely undervaluing the data that they hold, and in particular placing data at risk.
In turn, such inaction poses significant risks to businesses. Once the GDPR is in force, businesses will be required to report any data breach suffered, and could be faced with fines of up to EUR20 million, or 4% of the total worldwide annual turnover ... a high price to pay for inaction!
Time for your business to take action?
For more information about getting your business ready for the incoming GDPR sets our detailed requirements for breach notifications, see our previous blogs on Preparing for the GDPR: what you need to know and Implementing the GDPR: Reed Smith Webinar on Planning your Path to Compliance in 2017.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.