Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

2.2 Critical Infrastructure Cybersecurity Requirements OESs and RDSPs are required under the NIS Regulations to implement appropriate and pro - portionate technical and organisational meas - ures to ensure a level of security appropriate to the risk posed. RDSPs For RDSPs, these requirements are supplement - ed by the Commission Implementing Regulation (EU) 2018/151 (the “DSP Regulation”). In sum - mary, RDSPs must take account of the following. • The security of systems and facilities – meas - ures in this area should cover systematic management of network and information systems, physical and environmental security measures, security of supplies and access controls to systems. • Incident handling – measures should include incident detection processes and procedures, processes and policies on incident reporting, incident response and incident assessment. See 2.3 Incident Response and Notification Obligations for further detail. • Business continuity management – this is the capability to maintain or restore the delivery of services to acceptable predefined levels following a disruptive incident. • Monitoring, auditing and testing – meas - ures should establish and maintain policies and processes concerning the assessment, inspection and verification of systems. • Compliance with international standards – measures are not specified by the DSP Regu - lation but, instead, the NIS Regulations refer to “standards” as: (a) standards adopted by an international standardisation body as specified in Regulation 1025/2012; and/or

(b) any European, national, or internationally- accepted standards and specifications relevant to the security of networks and information systems. The ICO notes that examples of appropriate standards may include ISO/IEC 27001 on infor - mation security management systems and ISO/ IEC 22301 on business continuity management systems, as well as any other related standards. OESs OESs are subject to similar requirements as RDSPs in that they must also take appropriate and proportionate technical and organisational measures to manage risks posed to the secu - rity of the network and information systems on which their essential service relies, and subject to guidance from the relevant competent author - ity (which, as noted in 1.3 Cybersecurity Regu- lations (NIS Regulations), is on a sector-specific basis). 2.3 Incident Response and Notification Obligations Under the NIS Regulations, different incident reporting obligations apply to OESs and RDSPs respectively. For OESs, cybersecurity event notification is required when any incident has a “significant impact” on the continuity of the essential ser - vice that the OES provides. Determining this requires a fact-specific analysis of the number of users affected by the disruption of the service, the duration of the incident, and the geographi - cal area affected by the incident, as well as any other relevant guidance issued by their desig - nated “competent authority”. For RDSPs, notification is required where there will be a “substantial impact” on the provision of

325 CHAMBERS.COM

Powered by