On August 8, the UK’s Department for Digital, Culture, Media & Sport (DCMS) published a consultation paper (CP) on implementing the EU’s Network and Information Security Directive (NIS Directive) (also known as the Cybersecurity Directive).

The DCMS explains that the NIS Directive will compel essential service operators to make sure they are taking the necessary action to protect their IT systems. In particular, operators will be required to develop a strategy and policies to understand and manage their risk, to implement security measures to prevent attacks or system failures, to report incidents as soon as they happen, and to have systems in place to ensure they can recover quickly after any event.
The CMS states that, in line with Article 1(7) of the NIS Directive, the banking and financial market infrastructures (FMIs) within the Directive’s scope will be exempt from aspects of the NIS Directive “where provisions at least equivalent to those specified in the [NIS] Directive will already exist by the time the [NIS] Directive comes into force.” It goes on to state that firms and FMIs within scope must continue to comply with the requirements and standards set by the Bank of England and the Financial Conduct Authority (FCA). (For more information on the FCA’s cyber resilience initiative, please see the June 23 Corporate Financial Weekly Digest).

As a result, as part of the consultation process, the DCMS is not carrying out the identification process for operators of essential services in the banking and FMI sectors, and competent authorities for these sectors are not being formally identified under the Directive.

The CP is available here.