Cyber Security Practitioner
Back to Contents

Volume: 3 Issue: 8
(August 2017)

uk proposes designating multiple sector-based nis competent authorities uks department digital culture media sport (‘dcms minister state digital


Share This Page

UK proposes designating multiple sector-based NIS competent authorities

The UK’s Department for Digital, Culture, Media & Sport (‘DCMS’) and the Minister of State for Digital Matt Hancock MP launched on 8 August 2017 a consultation on the Government’s plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK law. The Government’s plans include the proposal to designate multiple sector-based competent authorities to oversee and enforce cyber security compliance, which goes beyond the NIS Directive’s requirement that EU Member States nominate at least one competent authority.

The consultation states that sector-specific regulators would ‘provide greater understanding of wider resilience issues and procedures for their individual sectors,’ and that the UK’s National Cyber Security Centre which became operational in October 2016 would be a ‘significant’ advisor to those competent authorities. Andrew Parsons, Partner at Bond Dickinson, is concerned that the Government’s proposal to nominate multiple sector-specific authorities runs the risk of inconsistent approaches. “Competent authorities might set different thresholds for enforcement action, which would affect the standards that bodies have to meet,” explains Parsons. “It could also give rise to possible overlaps between the NIS Directive and the General Data Protection Regulation, both of which regulate certain aspects of cyber security, but would then be enforced by different regulators.”

The NIS Directive will impose network and information security requirements on operators of essential services and digital service providers, with each Member State being responsible for identifying the operators of essential services that will be subject to the Directive. In Annex 1 of the consultation, the Government proposes a list of operators of essential services and identification thresholds that are intended to ensure that only the most important operators fall within the scope of the Directive, rather than whole sectors.

William Richmond-Coggan, Partner at Pitmans, believes that there are a number of troubling areas of vagueness within the consultation which would cause difficulties with regulatory compliance if they are not clarified prior to implementation of the Directive. “There is a disappointing lack of clarity about what will amount to an acceptable level of cyber security,” explains Richmond-Coggan. “I think that what will be needed is something equivalent to the Cyber Essentials Scheme, but operating at a far more stringent level, so that operators of essential services can have clarity that if they adhere to a set of standards they will be regarded as having done what is reasonable to guard against cyber threat.”

The consultation closes on 30 September 2017, after which the Government intends to publish a formal response within 10 weeks.

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed