The NIS Regulations 2018 (The Network and Information Systems Regulations) are derived from the NIS Directive (the EU Directive on security of network and information systems), and took effect on 10 May 2018.
What is the objective of the NIS Regulations?
The NIS Regulations aim to reduce the risk of disruption to critical services by requiring relevant organisations to protect their networks and information systems.
Who needs to comply with the Regulations?
The NIS Regulations are applicable to both critical infrastructure organisations (known as OES (operators of essential services)) and DSPs (digital service providers); the compliance requirements for each differ slightly.
Are you a DSP?
DSPs encompass online marketplaces, online search engines and Cloud service providers that offer services to external bodies or customers. Note that Domain Name System (DNS) service providers that offer services to employees but not customers will not be in scope.
UK DSPs are required to self-identify and register with the Information Commissioner’s Office (ICO) by 1 November 2018. DSP’s must be headquartered in the UK, or have appointed a UK representative.
DSPs that are ‘small’ or ‘micro enterprises’ – those with fewer than 50 staff and/or have an annual turnover of less than €10 million – are exempt from the NIS Regulations’ requirements. This exemption only applies to individual organisations; those that are part of a larger group may need to consider staff headcount, turnover and balance sheet data from the whole group.
What should DSPs do next?
The NIS Regulations call for DSPs to take appropriate technical and organisational measures to secure their network and information systems and adopt a risk-based approach to managing them. There are also tough incident response and notification requirements, which are comparable to those mandated by the EU GDPR (General Data Protection Regulation).
Although the NIS Regulations are primarily aimed at mitigating cyber risk, they also mandate processes to manage risks caused by physical events, such as power surges, fire or floods, as these could also affect an organisation’s network and information systems. DSPs must ensure the availability, authenticity, integrity and confidentiality of data or related services at all times – even after a disruption.
The ICO will produce additional compliance guidance for UK DSPs, which will be consistent with the technical guidelines produced by ENISA (European Union Agency for Network and Information Security).
What are the key requirements?
As DSPs operate across borders, a uniform approach to their compliance is required. The European Commission’s Implementing Regulation outlines specific obligations for DSPs and reiterates the need for a risk-based approach.
DSPs must take into consideration:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards.
Incident response requirements
DSPs must report all incidents to the ICO, which is their competent authority, within 72 hours of becoming aware of them. Incident reporting thresholds have been set out in the Implementing Regulation, and are therefore at a common level across the EU.
Unlike OES, DSPs will not generally be required to undergo audits to prove their compliance. However, DSPs may be subject to investigations to determine non-compliance following an incident, and could face penalties of up to £17 million.
The UK government stated that the ICO is likely to levy an annual fee on DSPs, in addition to “recovering direct costs involved in any regulatory investigations”. The current government consultation document states that the exact fee has not yet been determined, but will be published by the ICO once this has been decided.
Start your compliance project today
It is now UK law to comply with the NIS Regulations, and companies that fall within the scope must start assessing their current cyber security arrangements against the Regulations’ requirements