The EU Network and Information Security Directive (NIS) requires maritime transport and other essential services to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures. The NIS will come into force on 6 May 2018 and the Government has just published a consultation paper on the implementation of the NIS in the UK. The largest port or harbour authorities and maritime transport companies headquartered in the UK will be directly impacted by these new provisions and there will inevitably be a trickle-down effect on small companies that contract with those organisations. The penalties for breach of the new laws will be substantial – 4% of global turnover or £17 million, whichever is the greater. These measures will be in addition to the other new cyber laws, such as the General Data Protection Regulation (GDPR), which are about to come into effect.
Over the last 18 months, the maritime sector has worked hard to focus its response to the growing cyber risk that it undoubtedly faces. In June 2017, we saw updated cyber security guidelines from the International Maritime Organisation (IMO) Safety Committee. These guidelines are tied into the ISM Code. Although the guidelines are currently“recommendatory”, they require cyber risk to be appropriately addressed in safety management systems no later than the first annual verification of a company’s “document of compliance” after 1 January 2021.
Network and Information Security Directive (NIS)
The latest development for UK-based maritime organisations comes with the publication of a Government consultation paper on the implementation of the Network and Information Security Directive (NIS) (EU 2016/1148). This EU Directive, which was approved in 2016, requires “essential services” to develop certain standards of cyber security. The NIS leaves it to individual EU member states to decide how to implement its requirements in their own domestic law. The recent consultation paper sets out the UK’s proposals in that regard.
Maritime transport is listed as one of the “essential services” to which the NIS will apply. Not all operators in this sector, however, will be affected directly by the current proposals that are intended to apply only to the largest operations with headquarters in the UK.
In the UK context, that will mean harbour authorities and ports with annual passenger numbers greater than 10 million or with 15% of the UK’s Ro-Ro or Lo Lo traffic or that account for 10% of UK liquid bulk or 20% of UK bio-mass fuel. Under the Government proposals, the NIS will also impact “water transport companies” that handle more than 30% of freight at any UK port in scope and five million tonnes of annual freight in UK ports as a whole. They will also apply to companies with 30% of annual passenger numbers at any individual UK port in scope and more than two million passengers at all UK ports. As at September 2017, the term “water transport companies” has not been defined.
Despite these limitations on the direct application of the NIS, it seems inevitable that its adoption by large organisations will have a knock on effect on smaller companies that work with or supply those organisations. This is because contracts for the supply of goods and services to the large organisations are likely to be amended to make small organisations responsible for any malware or other breach of cyber security that may be passed up the supply chain.
In addition, the Government is proposing to retain a reserve power to include within the scope of the NIS specific operators that do not meet the thresholds set out above, but which are still considered to provide an essential service.
Failure to comply with the NIS will, it is proposed, expose companies to very significant financial penalties of up to £17 million or 4% of global turnover, whichever is the greater.
Companies will be exposed to those fines if they “fail to implement appropriate and proportionate security measures”. These requirements are in addition to other provisions relating, for example, to GDPR.
The consultation paper does not set out in any detail the measures that the Government will expect to see implemented. Rather, the Government proposes to:
“… set out the high level security principles which will be complimented by more detailed guidance, that will be either generic or sector specific. … These principles describe the mandatory security outcomes that all operators will be required to achieve”.
The Government’s view is that operators of essential services are responsible for managing their risks and will need to implement security measures in line with the high level principles established for the purposes of NIS, having regard to the more detailed sector-specific and generic guidance to be published by the relevant NIS competent authorities. It is clear, however, that the new rules will cover governance, risk management, asset management and supply chain issues. In addition, there will be a mandatory incident reporting regime (that will be additional to existing reporting requirements and recommendations).
The consultation closes on 30 September 2017 and the Government will issue its further directives thereafter, with the intention that the scheme should go live from May 2018.
Although NIS is an EU Directive, its implementation by the UK Government will not be affected materially by the UK’s departure from the European Union.