The EU Directive on security of network and information systems is required to be transposed into UK law by 9 May 2018. The domestic law, in force from 10 May 2018, will be known as the ‘NIS Regulations’.
What is the objective of the NIS Regulations?
The NIS Regulations aim to reduce the risk of disruption to critical services by requiring relevant organisations to protect their networks and information systems.
Who needs to comply with the Regulations?
The NIS Regulations will be applicable to both critical infrastructure organisations (known as operators of essential services (OES)) and digital service providers (DSPs); the compliance requirements for each differ slightly.
Are you a DSP?
DSPs encompass online marketplaces, online search engines and Cloud service providers that offer services to external bodies or customers. Note that Domain Name System (DNS) service providers that offer services to employees but not customers, will not be in scope.
DSPs in the UK will be required to self-identify and register at the Information Commissioner’s Office (ICO). The ICO is expected to announce a time frame for these registrations in due course.
DSPs that are ‘small’ or ‘micro enterprises’ – those with fewer than 50 staff and/or have an annual turnover of less than €10 million – are exempt from the NIS Regulations’ requirements. This exemption only applies to individual organisations; those that are part of a larger group may need to consider staff headcount, turnover and balance sheet data from the whole group.
If you are a DSP, what should you do next?
The NIS Regulations call for DSPs to take appropriate technical and organisational measures to secure their network and information systems and adopt a risk-based approach to managing them. There are also tough incident response and notification requirements, which are comparable to those mandated by the EU General Data Protection Regulation (GDPR).
Although the NIS Regulations are primarily aimed at mitigating cyber risk, they also mandate processes to manage risks caused by physical events, such as power surges, fire or floods, as these could also affect an organisation’s network and information systems. DSPs must ensure the availability, authenticity, integrity and confidentiality of data or related services at all times – even after a disruption.
The ICO will produce additional compliance guidance for DSPs, which will be consistent with the guidelines produced by the European Union Agency for Network and Information Security (ENISA), which other EU member states have already taken into account.
Incident response requirements
DSPs must report all incidents to the ICO, which is their competent authority, within 72 hours of becoming aware of them. Incident reporting thresholds have been set out in the European Commission’s Implementing Regulation, and are therefore at a common level across the EU.
Unlike OES, DSPs will not generally be required to prove or certify their compliance. However, DSPs may be subject to investigations to determine non-compliance with the NIS Regulations following an incident, and could face penalties of up to £17 million.
The UK government has stated that the ICO is likely to levy an annual fee on DSPs, in addition to “recovering direct costs involved in any regulatory investigations”. The current government consultation document states that the exact fee has not been determined yet, but will be published by the ICO once this has been decided.
To find out how to get started with the NIS Directive (NIS Regulations), download our updated and comprehensive UK Compliance Guide now.