The legislation applies the EU's Network and Information Security (NIS) Directive, and, in the UK, includes The Network and Information Systems Regulations 2018.
According to the European Commission, however, some EU countries have missed the 10 May deadline for transposing the Directive into national law.
The NIS Directive sets out measures designed to ensure critical IT systems in sectors such as like banking, energy, health and transport are secure. It applies to operators of such "essential services" and to "digital service providers" (DSPs).
Under the Directive, it is up to each EU country to designate which organisations are 'operators of essential services' and in scope of the new laws, where set criteria and thresholds are met. EU member states have until 9 November to identify the operators of essential services subject to the new NIS regime.
Digital service providers (DSPs) – online marketplaces, online search engines or cloud computing service providers – are directly subject to the new rules, although micro and small businesses are exempt. The Directive defines DSPs as being online marketplaces, online search engines or cloud computing service providers that normally provide their service "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".
Both operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules to notify security incidents to "competent authorities" when they occur.
In the UK, the NIS Regulations contain a multi-tiered system of penalties that determine the maximum fine organisations could be issued with for breaching the new rules. In the most serious cases, where authorities determine that an incident has caused or could cause "an immediate threat to life or significant adverse impact on the United Kingdom economy" a fine of up to £17m could be imposed.
Government ministers and departments, and regulators such as Ofcom and the Information Commissioner's Office (ICO) are among the authorities responsible for overseeing compliance in the various sectors caught by the rules.
As Out-Law.com previously reported, firms operating in banking and financial markets infrastructure are not subject to the UK regulations implementing the Directive. This is because the UK government was able to apply an exemption in the NIS Directive to exempt those firms.
The UK government earlier this year explained how the NIS Directive will apply to digital service providers.
Specialist in cyber risk and regulation Philip Kemp of Pinsent Masons, the law firm behind Out-Law.com, recently said that while many organisations may be focused on complying with the new General Data Protection Regulation (GDPR), the new NIS rules also "demand attention".
"Crucially, the regulations do not have the data protection focus of the GDPR, instead adopting a broader purpose to seek to ensure appropriate protections to key infrastructure and services," Kemp said. "The practical effect is that the regulations may therefore apply to a broad range of incidents, and that it is not just events affecting personal data that must be prioritised and responded to swiftly."
"Given the potential fines and short time period in which notification is required, consideration of the application of the regulations must be a priority in the event of any security incident," he said.