By Brian Davidson, CIPP/E
The UK Government's Department for Business, Innovation and Skills has held its call for evidence on the European Commission's proposed Directive on Network and Information Security (NIS). The directive, published on 7 February as part of the EU Cybersecurity Strategy, would mandate compulsory reporting of security breaches that have a “significant impact” on the provision of core services.
The consultation, which launched on 22 May and closed on 21 June, requested that organisations submit evidence on their current scheme of reporting security incidents, such as whether there is a threshold regarding when to report, if the organisations are subject to any regulatory or voluntary policy to report and details of any consequences experienced from past incidents. Organisations were also asked to consider any potential changes in compliance costs if the reporting threshold changes to the “significant impact” criteria.
The directive would introduce breach notification requirements for e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and application stores to the competent NIS authority. Industries that are “essential to the maintenance of vital economic or societal functions” would also be subject to the requirements, including electricity and gas, transport, credit institutions, stock exchange and health.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.