A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Download PDF Print page
Published 14 noviembre 2022
When a country’s critical infrastructure is compromised, whether through a cyber attack or otherwise, the effects can be wide-reaching and devastating. Recent examples of significant cyber incidents impacting critical infrastructure include:
This is a real and ever-present problem and one which is seemingly increasing in this age of hybrid warfare, with offensive cyber operations seen as a critical element of a State’s armoury in the current era of great power competition.
In the UK, we operate under the framework provided by the Network and Information Systems (“NIS”) Regulations which implement European Directive 2016/11481. The NIS Regulations are intended to address all threats (not just cyber) to network and information systems and they apply to:
Compliance is dependent upon DSPs/OESs identifying and taking appropriate and proportionate measures to manage risk. Risk is defined as any reasonably identified circumstance or event having a potentially adverse effect on the security of network and information systems. Measures taken by DSPs/OESs must:
They must also take into account:
Competent authorities have the authority to oversee NIS compliance. For DSPs, the ICO is the competent authority. It requires all DSPs to register with the ICO and it has investigatory and enforcement powers under NIS Regulations. As DSPs may also be data controllers or data processors under the General Data Protection Regulations (GDPR), they are therefore likely to have both NIS and GDPR obligations. For OESs, the competent authority is sector dependent. Energy providers generally have the Secretary of State for Business, Energy and Industrial Strategy, jointly with sector specific body, such as Gas and Electricity Markets Authority as their competent authority; however, day to day compliance is in fact overseen by the Office of Gas and Electricity Markets (OFGEM). For transportation infrastructure providers, the competent authority is generally the Secretary of State for Transport, jointly with sector specific body such as Civil Aviation Authority.
In order to structure oversight and risk management, the competent authorities utilise the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) and work in close coordination with the NCSC to address threats and incident response activity. Whilst OES competent authorities do have enforcement powers, their activity in relation to incident response and investigation is generally focused on collaboration and proactively rectifying services. This differs to a certain extent with the mandate of the ICO in relation to DSPs.
The NIS Regulations and CAF form key elements of the UK Cyber Strategy. Published in June of this year, the Strategy aims to provide a comprehensive approach to protect and promote the UK’s interests in and through cyberspace. It seeks to achieve this by strengthening cyber security in order to keep ahead of the UK’s adversaries and strengthen its ability to act in cyberspace, as well as its ability to influence and shape tomorrow’s technologies to keep them safe, secure and open.
Structured around 5 pillars, the Strategy looks to address:
As breach response counsel, we have seen Pillar 5 in action. In recent cyber incidents, it has become clear that regional police agencies, along with the NCSC, are taking a far more proactive and empathetic approach to engaging with organisations who have suffered cyber breaches. This has been exemplified by police providing threat analysis and keeping impacted organisations apprised of developments in their investigations.
Additionally, where large scale NIS breaches occur, or data breaches impacting public sector bodies or organisations with public sector contracts, law enforcement agencies have acted as invaluable interlocutors, coordinating communication with various agencies and government departments, each of whom will have their own particular concerns or agenda regarding a given cyber incident.
Whereas we might have been somewhat circumspect regarding law enforcement engagement in years gone by, the UK Cyber Strategy does seem to have given rise to a sea-change in the way in which the police and NCSC now appear driven by a desire to assist and support impacted entities. This development can only be seen as positive, and we will continue to forge strong working relationships with the NCSC and regional police services in providing impacted organisations with the best possible breach response management and legal support.
1Nb. The European Parliament approved NIS 2 on 10 November 2022. It is a new European directive aiming to provide greater security for entities “by implementing a system of obligations and sanctions.” This will abolish OESs, replacing them with Essential Entities and Important Entities, likely entering into force in 2024. The legislation now awaits approval from the Council of the European Union. It remains uncertain whether the UK will follow the EU in updating its own NIS Regulations.
London - Walbrook
+44 (0)20 7894 6480
By Hans Allnutt, Stuart Hunt
By Julian Miller
By Astrid Hardy, Hans Allnutt
By Julian Miller, Tom Evans
By Hans Allnutt, Camilla Elliot
By Jade Kowalski, Astrid Hardy
By Louise Gallagher, Katie Anderson
By Camilla Elliot
By Hans Allnutt, Astrid Hardy
By Aidan Healy, Alexander Dimitrov
By Patrick Hill, Stuart Hunt
By Astrid Hardy, Alexander Dimitrov
By Patrick Hill, Sonali Malhotra