atw 2018-12
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>atw</strong> Vol. 63 (<strong>2018</strong>) | Issue 11/<strong>12</strong> ı November/December<br />
Department for Business, Energy &<br />
Industrial Strategy, / Health & Safety<br />
Executive<br />
E-Mail: nis.cyber.incident@hse.gov.uk<br />
Department of Finance Northern<br />
Ireland<br />
E-Mail: nis.ca@finance-ni.gov.uk<br />
By 6 November <strong>2018</strong> the Department<br />
for Business, Energy and Industrial<br />
Strategy gave the following implementation<br />
update;<br />
For the energy sector in England,<br />
Wales and Scotland, BEIS shares Competent<br />
Authority responsibilities with<br />
Ofgem and HSE. In downstream gas and<br />
electricity sector Ofgem delivers the<br />
compliance functions under a Memorandum<br />
of Understanding with BEIS. In<br />
the oil and upstream gas sector the<br />
compliance functions will be carried<br />
out by HSE under an Agency Agreement<br />
with BEIS. Both HSE and Ofgem have<br />
been engaging closely with NCSC, the<br />
BEIS NIS regulatory policy function,<br />
and with industry in order to develop<br />
further sector specific guidance.<br />
This guidance will tailor the CAF to<br />
the needs of energy sub sectors and will<br />
provide further information about the<br />
steps that Operators of Essential Services<br />
(OES) should take in order to identify<br />
their levels of cyber security, commence<br />
the improvement journey to address<br />
and manage cyber security risks, and be<br />
compliant with the NIS regulations.<br />
According to the view of the<br />
Department for Business, Energy &<br />
Industrial Strategy operators will need<br />
time to adjust to the new framework.<br />
They expect operators to undertake a<br />
robust but realistic CAF self- assessment<br />
supported by evidence. In the<br />
first year, they do not expect to take<br />
enforcement action on the basis of the<br />
operator’s CAF self-assessment and<br />
recognise development and improvement<br />
will likely be needed, having<br />
taken a risk-based approach.<br />
Key dates fort he future would be<br />
as follows:<br />
• 31 October <strong>2018</strong>: CAF version 2<br />
was published on NCSC website<br />
• End November <strong>2018</strong>: publication<br />
of HSE operational guidance for<br />
the oil sector<br />
• End November <strong>2018</strong>: publication<br />
of Ofgem Cyber Security Practices<br />
guidance for the electricity and gas<br />
sector, to be available on Ofgem<br />
website.<br />
• November <strong>2018</strong>: DCMS returns notification<br />
of number of OES in<br />
scope of the regulations to the European<br />
Commission and BEIS provides<br />
a list of OES to GCHQ.<br />
• Late November / mid-December<br />
<strong>2018</strong>: sub-sector events to be held<br />
with OES. HSE will launch its<br />
operational guidance and provide<br />
surgeries to launch the sub-sector<br />
CAF self-assessments on 21 November.<br />
Ofgem will focus on sub-sector<br />
workshops between 10-11 December.<br />
Invitations will be issued to<br />
OES.<br />
• From Q2 2019 or potentially earlier<br />
depending on the CA: Competent<br />
Authorities will review the selfassessment<br />
evidence and improvement<br />
plans; and establish a rolling<br />
programme of inspections or thirdparty<br />
assessments/validations of<br />
OES own self-assessments. Please<br />
refer to detailed guidance from<br />
Ofgem or HSE for further details<br />
on how and when you should<br />
return your self-assessment.<br />
Sanctions:<br />
Financial penalties will only be levelled<br />
as a last resort where it is assessed<br />
appropriate risk mitigation measures<br />
were not in place without good reason.<br />
In addition, the maximum penalties<br />
should be reserved for the most severe<br />
cases, and it is expected that mitigating<br />
factors (including steps taken to comply<br />
with the NIS Directive, actions<br />
taken to remedy any consequences)<br />
and sector specific factors will be<br />
taken into account by the competent<br />
authority when deciding appropriate<br />
regulatory response.<br />
In the event of any enforcement<br />
action by the competent authority, it<br />
will notify the operator of impending<br />
action, allow the operator an opportunity<br />
to make representations, and<br />
confirm the final decision and<br />
reasoning of the competent authority.<br />
NIS Implementation<br />
in the Netherlands<br />
The status of transposition is:<br />
In progress<br />
Implementation act is the Security<br />
Network- and Information Systems<br />
Act, 29 May <strong>2018</strong><br />
The national strategy on the<br />
security of network an information<br />
security is available on: https://www.<br />
nctv.nl/ncsa/index.aspx<br />
Single point of contact is:<br />
National Cyber Security Centre (NCSC)<br />
E-Mail: info@ncsc.nl<br />
According to https://ec.europa.eu/<br />
digital-single-market/en/implemen tation-nis-directive-<br />
netherlands a National<br />
Computer Security Incident<br />
Response Team (CSIRT) has to be determined.<br />
Although the Government<br />
declared that the Minister of Economic<br />
Affairs and Climate Policy is responsible<br />
for the energy infrastructure.<br />
OSE are obliged to notify immediately<br />
the following events:<br />
1. Incidents with significant consequences<br />
for the continuity of the<br />
essential service<br />
2. Breaches of the security of network<br />
and information systems which<br />
may have significant consequences<br />
for the continuity of the essential<br />
service;<br />
Sanctions:<br />
There are 3 types of sanctions defined,<br />
until now:<br />
1. Up to EUR 5 million for any<br />
breach of the draft implementation<br />
act by essential service<br />
operators,<br />
2. A maximum of EUR 1 million for<br />
failing to cooperate with a request<br />
for further information from the<br />
National Cyber Security Centre;<br />
and<br />
3. A maximum fine of EUR 1 million<br />
for failure to adequately cooperate<br />
with supervisory authorities<br />
exercising their competencies.<br />
Compared to other countries at the<br />
moment the Netherlands has the<br />
highest sanctions, but the lowest<br />
level of clearly defined obligations.<br />
NIS Implementation<br />
in Hungary<br />
The status of transposition is:<br />
Partial transposition<br />
Implementation acts are:<br />
Act 134 of 2017 on modifying<br />
certain interior related tasks and<br />
corresponding laws<br />
Government Decree 394/2017<br />
(XII.13) on modifying government<br />
decrees related to Act 134 of 2017 on<br />
modifying certain interior related<br />
tasks and corresponding laws<br />
Hungary has as well identified<br />
the following sectors: energy, transportation,<br />
health, finance, info communication<br />
technologies, water.<br />
The national strategy on the<br />
security of network an information<br />
security is (officially) not yet adopted.<br />
Single Point of contact is:<br />
National Cyber Security Centre<br />
(NCSC)<br />
Dózsa György út 86/B Budapest<br />
H-1068<br />
E-Mail: spoc@govcert.hu<br />
Phone: +36 206 9320<br />
National competent authorities for all<br />
sectors for OES is:<br />
National Directorate General for<br />
Disaster Management<br />
E-Mail: kikfo@katved.gov.hu<br />
Phone: +36 208 200 548<br />
Contact Hours: 08:00 – 16:00<br />
National Computer Security Incident<br />
Response Team (CSIRT) is the same as<br />
the single point of contact.<br />
Operators of essential services<br />
must immediately report extraordinary<br />
incidents to the Directorate and<br />
to other competent authorities as<br />
defined by Hungarian laws and<br />
regulations.<br />
ENERGY POLICY, ECONOMY AND LAW 583<br />
Energy Policy, Economy and Law<br />
Development on NIS Directive in Different EU Countries in the Energy Sector ı Stefan Loubichi