To help prepare an impact assessment on the potential effects in the UK of the proposed EU Directive on Network and Information Security (“NIS Directive”), the UK Government has launched a call for evidence to gather data. As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report security incidents that have a significant impact to national authorities. UKG is particularly interested in the effects associated with the introduction of mandatory reporting of incidents with a ‘significant impact’, and the costs and benefits to organisations of being compliant with the proposed measures.
The UKG paper states that while the UK is supportive of the broad objectives of the Directive, it “will need to ensure that the proposals create the right incentives for the private sector to share information, best practice and good governance”. This focus is likely to welcomed by industry, and seems consistent with the UK’s preferred approach towards these issues, as illustrated by the Cyber-Security Information Sharing Partnership (CISP) that was launched in March. (CISP is a joint, collaborative initiative between industry and UKG that is designed to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and reduce the impact upon UK business — see more about it here.)
The deadline for responding to the UKG call for evidence is 21 June 2013. The preference for submitting evidence is via the online response form.