Draft Network and Information Security Directive: consultation summary

The Department for Business, Innovation and Skills has published a summary of the responses to its consultation on the proposed EU Directive on Network and Information Security (NIS). Summarising that summary (!):

There seems to be agreement that there is a role for the EU in Network and Information Security, in particular in ensuring that requirements are harmonised both across countries and across legislation. For example any reporting requirements in a NIS Directive must not duplicate requirements under data protection and sector-specific regulation. However there are also important activities at both national and international level that EU action must fit into. National NIS strategies, CERTs and competent authorities are seen as good things so long as the Directive’s requirements do not result in duplication of existing facilities.

The Directive’s proposal for mandatory notification of information about security breaches causes more concern. Respondents (and the BIS impact assessment) note the success of existing voluntary information sharing partnerships in the UK such as the Cyber-security Information Sharing Partnership (CISP) and the various sector Information Exchanges operated by CPNI. They are concerned that these might be damaged if information in notifications was not kept secure, if it were further disclosed against the wishes of the owner (for example disclosure might be required under the Freedom of Information Act) or if one-way notification replaced two-way sharing. Our response to the European Commission's original consultation warned that mandatory notification might distort incident response priorities; others apparently go further and worry that it might turn information disclosure into a matter for the legal or compliance department. "Do we have to disclose this incident?" could replace "could others learn from our experience?". Paradoxically, reporting costs, sanctions and audits will impose the largest burden on organisations that are best at detecting incidents and could even create an incentive not to look so hard.

As well as sectors such as energy, health and transport generally recognised as part of the Critical National Infrastructure the Directive would cover "internet enablers". Even BIS appear to struggle to interpret this definition or to find a rationale for the Directive’s examples of organisations that are, and are not, included. Respondents to the consultation note that hardware and software companies also form part of the complex supply chain for internet services; given discussions at TF-CSIRT this week of the dependence of Internet businesses on DNS it is perhaps surprising that providers of that service do not appear to be included. Given this uncertainty, one respondent suggests that "internet enablers" might be better served by voluntary, rather than mandatory, information sharing schemes.

The uncertainty of scope, and of the definition of a "serious incident" that requires reporting, make it hard to assess the potential cost of implementing the draft Directive. BIS’s impact assessment estimates that it might require businesses to double their current level of spending on security, with considerable uncertainty whether this investment would be recovered through the resulting reduction of severity of incidents. The impact assessment notes that the UK Government’s policy is only to impose costs on business if they will be recovered twice over though this rule would not apply to transposing an EU Directive.

Discussions of the draft Directive are likely to continue at EU level into 2014, with a further consultation promised if the UK is required to implement it.