The government recently launched a consultation on how best to implement the Network and Information Systems (NIS) Directive. The directive aims to increase the security of network and information systems across the EU and will be implemented into UK law in May 2018. Energy companies across the UK need to determine whether they are likely to fall within the scope of the legislation or if they are a significant supplier to another entity that qualifies as an operator of essential services.
Who in the energy sector will be affected by the NIS Directive once implemented?
Energy has always been identified as an essential sector falling within the scope of the NIS Directive, however the consultation paper has provided greater granularity by proposing a series of thresholds so that the enactment will apply only to "more important operators" in the energy sector. These fall within the following categories:
- Electricity supply businesses, distribution and transmission companies;
- Oil pipeline (transmission), production, refining and treatment and storage businesses; and
- Gas supply businesses, distribution and transmission companies, storage and LNG operators, and operators of refining and treatment facilities.
The thresholds proposed by the government are binary, for example an electricity distributor with the potential to disrupt supply to more than 250,000 consumers will be deemed to be an essential service operator. The government currently does not consider the civil nuclear sector to be in scope of the NIS Directive. The thresholds set by the government will be one of the core aspects of the public consultation.
In tune with other recent legislation such as the UK Bribery Act 2010 and the Modern Slavery Act 2015 it is expected that operators of essential services will also have a responsibility to drive compliance into their supply chain. The paper states that "there should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service" and reference to "ensuring that appropriate measures are employed where third party services are used". Accordingly, while suppliers to operators of essential energy services may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator's network and information systems, they will be contractually obliged to comply.
The key elements of the directive that operators of essential energy services need to know
- Security requirements:
Operators must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and take appropriate measures to prevent and minimise the impact of incidents. What these broad principles mean in practice is yet to be established. The consultation paper indicates that a series of further guidance will be issued from the government, the National Cyber Security Centre and the relevant competent authority, which will provide further granularity and sector-specific information and will evolve over time.
- Incident reporting:
Operators will be required to notify the National Cyber Security Centre and their relevant competent authority of incidents affecting the security of network and information systems that have a significant impact on the continuity of essential services. The incidents are not limited to cyber attacks and can include power outages, system malfunctions and hardware failure. The consultation process will assist in the definition of what will constitute a reportable incident and the identification of associated thresholds. It is proposed that the time within which a report will need to be made will have a gate of 72 hours from becoming aware of the incident.
According to the impact assessment issued by the Department for Digital, Culture, Media and Sport (DCMS), the high level of regulation already in place in the energy sector means that only small alterations to existing security systems are likely to be required to comply with the NIS Directive. However, the extra costs required to comply with the incident reporting requirements will depend on the reporting thresholds issued by the competent authority.
The appointment of competent authorities for the energy sector
The government proposes to nominate a competent authority to oversee implementation and compliance with the Directive in each of the essential sectors. For energy, this is the Department for Business, Energy and Industrial Strategy (BEIS), though the government is exploring whether certain functions could be delegated to the Office for Gas and Electricity Markets (Ofgem). The competent authority will have the power to decide whether to publicise an incident, to obtain information required to assess compliance, to identify breaches of the Directive and take enforcement action.
The sanctions for energy companies that fail to comply with the directive once implemented
While the gestation of the directive has been in track with the GDPR, the NIS Directive has largely remained in the shadow of the publicity surrounding the penalty regime set out for GDPR. However, in the consultation paper the government has indicated a desire to mirror the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures. The press release issued by DCMS suggests that a fine for breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR. This could then mean that an organisation suffering from a cyber attack which results in the loss of both services and data could face a "double liability" of fines of up to €40 million. It is also not clear whether related sanctions imposed by other regulators will be taken into account when determining the sanction for non-compliance.
The NIS Directive has largely gone unnoticed and while most businesses are squaring up to the challenges of GDPR, compliance with the NIS Directive appears on very few agendas. Given that operators of essential services face the prospect of sanctions equal to those in the GDPR compliance with the NIS Directive when enacted should be high on the priority list. While the principle focus is on those businesses falling within the defined scope of operator of essential services, key suppliers to those operators of essential services have to anticipate that they will be contractually obliged by their customers to comply with the enactment.