With the increasing focus on data security and network resilience, data centre operators need to be aware of and ready to comply with new strengthened cybersecurity obligations. We are witnessing a trend of increasing regulation in this area, with EU Member States now working on the transposition of the NIS2 Directive into their local laws (see our NIS2 Directive Implementation Tracker). The updated EU cybersecurity regime will apply from 18 October 2024 and has a direct impact on data centres. We a brief overview of the key elements and how to prepare for it. We also cover developments in the UK and the Kingdom of Saudi Arabia.
The key elements of the NIS2 regime (which strengthens and replaces the existing regime) are as follows:
Given Brexit, the UK is not required to implement the new NIS2 Directive and instead the old NIS regime as currently implemented in the UK under the Network and Information Systems Regulations 2018 remains in place.
This applies to:
Notwithstanding this, the UK is proposing to expand the scope of this cybersecurity regime to cover managed service providers (noting that telecoms services will remain subject to the separate telecoms security regime in the UK). However, the changes have not been adopted yet and we are awaiting implementing legislation.
To the extent that data centre operators are providing services that are captured by the NIS regime (noting that cloud hosting services may be of particular relevance to data centre operators), it may be necessary to consider these cybersecurity requirements in the UK. There are no current plans to impose direct obligations on data centre operators unlike NIS2 in the EU.
Further, unlike the EU where telecoms security will fall under the scope of the NIS regime, telecoms services in the UK will remain subject to separate telecoms security requirements. The UK has recently implemented a new strengthened telecoms security framework which may be either directly relevant to data centre service operators if they also provide telecoms services or indirectly relevant where managed services are being provided to telecoms providers operating in the UK (i.e these providers may expect their data centre providers to have relevant safeguards, measures, procedures and processes in place as well as seeking to flow down obligations into relevant contracts so as to mitigate security risks as well as require them to complete supplier risk assessments).
While data centre specific regulation was issued by the Communications, Space and Technology Commission (CST) in August 2023, including specific requirements for Data Center Service Providers to address physical security, they made no reference logical security. However, there is a significant weight of existing cybersecurity specific provision in the Kingdom.
In June 2020, the Communications & Information Technology Commission (CITC) issued the Cybersecurity Regulatory Framework for Service Providers in the Information and Communication Technology Sector (the “CRF”). The CRF provides a comprehensive set of cybersecurity requirements to be implemented by Service Providers in the ICT sector. The CRF distinguishes between Service Providers who are classified as Critical National Infrastructure (CNI) who must comply with the Essential Cybersecurity Controls (EEC) issued by the National Cybersecurity Authority (NCA) and those Service Providers who are not so classified who must comply with the CRF.
The CRF set out very detailed controls and requirements touching on Governance, Asset Management, Cybersecurity Risk Management, Logical Security, Physical Security and Third Party Security.
The EEC sets minimum cybersecurity requirements with the presentation of 114 cybersecurity controls for national organisations that are within the EEC scope – government organisations and their companies and private sector organisations owning, operating or hosting Critical National Infrastructures. Critical national infrastructure is defined as “infrastructure whose loss or susceptibility to security violations may result in significant negative impact on the availability, integration or delivery of basic services or may have a significant impact on national security, national defence, the KSA economy or KSA national capabilities”.
The EEC are supported by the Critical Systems Cybersecurity Controls (CSCC) which focus on network segmentation, intrusion detection and the monitoring of critical systems. The CSCC applies to organisations operating critical systems and focuses on systems or networks whose failure, unauthorised change to their operation, unauthorised access to them, or to the data stored or processed by them may result in negative impact on the organisation’s businesses and services availability, or cause negative economic, financial, security or social impacts on the national level. The criteria identified in the CSCC for identifying critical systems are when a failure of that system has a negative impact on national security; a negative impact on the Kingdom’s reputation and public image; a significant financial losses (more than 0.01% of GDP); a negative impact on the services provided to a large number of users (i.e., more than 5% of the population); a loss of lives; an unauthorised disclosure of data that is classified as Top Secret or Secret; or a negative impact on the operations of one or more vital sector.
The Cloud Cybersecurity Controls (CCC) were implemented to secure cloud-based data and applications and are a set of controls addressing data encryption, identity and access management and compliance monitoring.
The Data Cybersecurity Controls include the encryption of sensitive data, access controls, data retention and the requirement for data audits.
Also of significant relevance is the Kingdom’s Personal Data Protection Law (PDPL), which came into force on 14 September 2023 to regulate the use of personal data in KSA giving a year within which to achieve compliance. Accordingly, note in particular that full enforceability begins on 14 September 2024.
While this paper is not the place for a detailed explanation of the PDPL, is it worth identifying that it includes the requirement of the adoption of security measures, including the regular assessment of security controls; identifying and addressing vulnerabilities; assessing system security through penetration testing; continuous security monitoring; and third party risk management.
For more information, please contact Anthony Rosen, Simon Shooter, Dr. Natallia Karniyevich and Hayley Blyth.