For business management solutions email us or call 020 3004 4600

Should SMEs worry about the NIS Directive? AKA, that other €20m fine

Forget the year of the dog, 2018 is the year of the €20 million/4% annual global revenue fine (whichever is greater). Or if you’re looking for a pun to bring your blood pressure down, it’s the year of British business owners doggedly trying to keep up with all the legislation the EU (and the UK government) keeps throwing at them.

Should SMEs be worried? For those of you that are pressed for time and aren't interested in the ins and outs of the NIS Directive, the short answer is: no, unless you’re an operator of essential services like water, electricity, transport or health; or you’re a digital service provider of an online marketplace, a search engine or a cloud-computing service, you should be fine.

If you are one of these or you’re involved in the supply chain of one of these, then please, read on. Likewise, if you’re unsure or would like to dot all your I’s and cross all your T’s, read on. And finally, if you care about cyber-security and want to make sure your business is adhering to industry best practices, please, read on. 

What is it and am I really going to get fined €20 million or 4% of my global annual revenue? 

The European Security of Network and Information Systems (NIS) Directive is the European Union’s way of trying to bring all 28 members states in line with a cyber defence strategy that is workable, consistent and able to meet the challenges put forward by an increasingly volatile cyber world.

Whereas the General Data Protection Regulation (GDPR) focuses on a business’s use of employee and customer data, the NIS Directive looks at improving the network and information systems used by operators of essential services (OES) and digital service providers (DSP): the GDPR looks after you, the NIS after the public services you use.

In order to make sure that OESs and DSPs comply with the NIS Directive, the UK government has implemented a GDPR-style penalty system. Lesser offences, such as failure to report an incident, will be met with a €10 million or 2% global annual revenue fine, while bigger offences, such as failing to implement appropriate security measures on critical infrastructure, will see OESs fined up to €20 million or 4% global annual revenue.

Unlike the GDPR, however, where organisations are expected to receive little to no mercy, the government has indicated that fines will only be handed out under the NIS Directive as a last resort, reserved for only the most severe of incidents or oversights.

Can I be hit with a GDPR and NIS Directive fine for the exact same incident? 

Full disclosure, you’re probably going to want to bring this up with legal, stat. However, so far there has been no indication that a fine for one will get you out of a fine for the other, that means, if you are an OES or DSP and you’re faced with an attack that leaves you exposed to both the GDPR and the NIS Directive, you could be facing upwards of €40 million in fines.

Thankfully, unlike the GDPR, the NIS Directive is a little more exclusive, meaning you have to meet certain requirements in order for you to be fined…yay?

As stated earlier, the NIS Directive focuses on operators of essential services (OES) and digital service providers (DSP). An OES is classified as an entity or organisation that provides an essential service that is critical to the running of societal or economic activities. And in order for you to qualify for the NIS Directive specifically, you also need to be an organisation whose service depends on network and information systems, meaning if your systems were to be disrupted, they would be the leading factor that caused broader disruption to society, the economy or both.  

The UK government has identified the following as OES:

  • Water suppliers and distributors 
  • Energy (Oil & Gas, as well as nuclear)
  • Digital infrastructure
  • Health
  • Transport 

Likewise, not all DSPs immediately fit the NIS Directive’s bill. For starters, if you’re a DSP that has 50 employees or fewer and your annual turnover does not exceed €10 million, you are not liable to face any fines or meet any NID Directive obligations; you’re also exempt from the NIS Directive if you’re an online retailer. Those DSPs that need to keep an eye out, fall into three distinct categories: 

  • Online marketplaces, for example, Amazon, Esty, Gum Tree
  • Search Engines: Google, Bing
  • Cloud Service Providers: businesses that offer infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (Saas). 

The NIS Directive doesn't apply to me, should I ignore it? 

Here’s the thing, over the past couple of years cybercrime has become one of the most serious threats facing businesses and nation states alike. All businesses are at risk, not just the big dogs. Yes, we might hear about the likes of Equifax, Yahoo or TalkTalk more often than we hear about the local high-street SME, however, as the National Cyber Security Centre points out, SMEs have a one-in-two chance of experiencing a cyber-security breach within any given year.

Given the fact that SMEs make up around 99.9% of the UK’s private sector and cybercrime is the most prominent threat any UK business faces (much more so than traditional forms of crime), the only sensible things for any SME to do is to think big when it comes to protecting their organisation from cyber threats.

Staying safe

I often sound like a broken record when it comes to this, but, getting your business an IT Managed Services provider is the easiest and the best thing you can do to make sure you’re as up-to-date and safe as you can be when it comes to cyber-security. IT Managed Service providers – like Advantage – deal with cyber threats day in and day out. We have a team that is exclusively dedicated to making sure they are aware of up-to-the-minute advances in malware, social engineering ploys, cloud security, data recovery best practices, and security by design architecture.

A managed services provider is also able to conduct regular health-checks on your IT infrastructure by conducting security and data audits and is able to quickly implement any patches required to make sure the software you’re running is as secure as it possibly can be. If you’re running software that is built on legacy systems or is no longer being supported by the developer, a managed services provider has the additional benefit of either creating bespoke patches for that particular software or quickly upgrading your business to a software solution that is supported and safe for use.

The NIS Directive might not apply to your business, but remember, there’s always the GDPR

Yes, the NIS Directive might not apply to your SME, however, it’s important to keep in mind that ‘data protection by design’ is a key component of the GDPR, meaning, if your organisation is attacked and you are unable to prove you did everything within your power to prevent that attack – i.e. implement rigorous cyber-security practices – your business will be liable to receive the now famous €20 million or 4% global annual revenue fine. So, while your business might not be an operator of essential services, it is essential for your business to have a purposeful and pressure-tested cyber-security strategy.

If you’d like to find out more about how Advantage can help your business stay cyber-safe contact us today.

Words by Camilo Lascano Tribin