A new cyber-security Directive shows the drive towards bolstering technological security in Europe. The Directive on Security of Network and Information Systems (‘the NIS Directive’) will require companies that supply critical services to ensure they are able to resist cyber-attacks and to report any major incidents.
The NIS Directive requires companies in the sectors of energy, transport, health, water supply, banking, and financial market infrastructures to adopt a minimum level of security for their digital infrastructure. Internet service providers such as online marketplaces, cloud providers, and Internet exchanges will also have obligations.
Cyber attacks are costly. A cyber attack on critical infrastructure would be economically devastating. The growing exposure to the risk of such a cyber attack has grown as the use of technology, and the scope of technology grows. The British government is investing £1.9 billion in technological infrastructure over the next 5 years to improve national standards in cyber security. It identifies four groups that pose a threat: terrorists, ‘hacktivists’, state-sponsored hackers, and cyber criminals
In general, the last group poses the biggest threat to companies. It is becoming increasingly difficult to pre-empt cyber attacks as they become more and more sophisticated. They affect all companies, big and small. According to the Federation of Small Businesses in the U.K., a third of their members have been the subject of cybercrime.
In the U.K., around 65% of large firms detected a cyber breach in 2016; the average cost of a breach to a large firm is £36,500. The most costly single breach in 2016 was reportedly £3 million; taking into account the knock-on effects it had on the business. Talk Talk was fined £400,000 by the Information Commissioner’s Office for a data breach that affected 157,000 customers. More recently 40,000 customers of Tesco Bank had their accounts illegally accessed.
Europe is developing stronger data regulation to bring companies up to speed with the technological advances and develop a robust data protection system. There will be some overlap between the NIS Directive and the GDPR (when it comes into force). The NIS Directive is broader in terms of breach notification, requiring operators to report to the national authorities whenever there is a substantial impact on the provision of its service. The GDPR on the other hand only requires notification of personal data breaches.
The NIS Directive came into force in August 2016 and Member States will have 21 months to transpose it into national law.
If you are interested in further information or advice in this area of law, please contact my clerks to instruct me.