The Network & Information Systems Regulation - Now in Force
Whilst there was much understandable focus and concern about the GDPR, the implementation in May 2018 of the Network and Information Systems Directive (‘NIS’) arguably introduces even more onerous obligations on not only national governments and designated public sector bodies but also on designated private sector enterprises including ‘Operators of Essential Services’ (‘OES’) and ‘Digital Service Providers’ (‘DSPs’).
Those affected by the NIS need to have sufficient and adequate security measures, processes and documented procedures to demonstrate to their particular Competent Authority regulator that they are - and remain at all times - in the best position to ensure continuity of service and have the ability to identify and deal expeditiously with any ‘cyber incident’, such as hacking, ransomware, denial of service attacks and physical problems such as data centre power outages, floods or lightning strikes.
The NIS is not limited to personal data: Being GDPR compliant is in itself most unlikely to ensure NIS compliance! Non-compliance, even if there were no ‘cyber incident’, could lead to severe fines in line with GDPR. There are also mandatory reporting requirements.
What You Will Learn
This course will cover the following:
- An account of the underlying Network and Information Systems Directive
- How the UK implemented the Directive - The Network and Information Systems Regulations 2018. Are there any major differences between the Directive and its UK implementation?
- Identification of and threshold requirements for ‘Operators of Essential Services’: The affected public and private sectors including energy, transport, banking, credit providers, other financial institutions, healthcare services, water supplies, and digital infrastructure providers. An overview of the relevant Competent Authorities (‘CA’)
- Identification of and any threshold requirements for Digital Service Providers including cloud providers and online marketplaces. Regulatory Role for the Information Commissioner in respect of DSPs? Micro and Small DSP Entities - do they fall within the NIS?
- The vexed issue of who in practice might be a cloud provider. What might a ‘scalable and elastic pool of shareable computing resources’ mean in practice? When might SaaS, IaaS and PaaS providers be classified as ‘cloud providers’ under the NIS?
- The NIS designated bodies
- The vital need to keep abreast of and implement warnings issued
- Responding to a cyber incident - the sorts of cyber incidents that are or are likely to be notifiable
- Liability, enforcement and the ability to impose severe penalties and fines
9:30am - 5:15pm
Please let us know if you wish to be notified when new dates are added for this programme