The NIS (Network and Information Systems) Regulations 2018 apply to two main groups: DSPs and OES (operators of essential services) in the UK.
DSPs provide a digital service in the UK and, for the purposes of the NIS Regulations, are either headquartered in the UK or have nominated a UK-based representative.
‘Micro and small enterprises’ – organisations that employ fewer than 50 people and have an annual turnover and/or a balance sheet total of less than €10 million (around £8.7 million) – are outside the Regulations’ scope.
DSPs have lighter security requirements than OES because of the lower risk they typically present to society as a whole if their service is disrupted. Their compliance with the Regulations is not actively monitored by their regulator, the ICO (Information Commissioner’s Office).
What is a DSP?
Organisations must determine for themselves whether they are a DSP and therefore subject to the Regulations’ security and notification requirements. They must then register with the ICO within three months of meeting the definition.
They should also contact the ICO if they are unsure about whether or not they are considered a DSP under the NIS Regulations.
The Regulations list the following as digital services:
- Online search engines
Provide “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found”.
- Online marketplaces
Provide “a digital service that allows consumers and/or traders [...] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace”.
- Cloud computing services
Provide “a digital service that enables access to a scalable and elastic pool of shareable computing resources”.
Compliance requirements for DSPs
Both the Regulations and the ICO require DSPs to take technical and organisational measures appropriate to the risk to both secure their systems and ensure the availability of their service.
DSPs must also take note of the EU-wide Implementing Regulation, which sets out more specific obligations.
When mitigating identified risks, DSPs must take into consideration:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
DSPs are also expected to establish appropriate policies.
Alongside the Implementing Regulation, ENISA (European Union Agency for Network and Information Security) has provided Technical Guidelines for the implementation of minimum security measures for Digital Service Providers, which describes 27 security objectives.
An effective way for DSPs to meet their compliance requirements is to implement a cyber resilience programme that encompasses information security and business continuity measures, as well as establish incident response measures.
- Compliance with international standards.
Incident reporting measures under the NIS Regulations
Comparable to the EU GDPR (General Data Protection Regulation), organisations must report incidents of significant impact to the ICO within 72 hours of becoming aware of them.
The Implementing Regulation outlines the metrics that DSPs must use to assess whether an incident is considered ‘significant’, and that the DSP is responsible for determining this. Incidents are reportable if they involve any of the following:
- Service unavailability for more than 5 million user hours in the EU.
- The loss of confidentiality, integrity, availability or authenticity of data accessed over networks or information systems, affecting more than 100,000 users in the EU.
- The incident creates a risk to public safety, public security or loss of life.
- The material damage to at least one user in the EU exceeds €1 million (about £870,000).
Consequences of non-compliance with the NIS Regulations
The NIS Regulations set four levels of fines for contraventions:
- Up to £1 million for any contravention that could not cause a NIS incident.
- Up to £3.4 million for a material contravention that has caused, or could cause, an incident resulting in a reduction of service for a significant period of time.
- Up to £8.5 million for a material contravention that has caused, or could cause, an incident resulting in a disruption of service for a significant period of time.
- Up to £17 million for a material contravention that has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.
The level of fine will be assessed by the ICO, and will vary depending on the DSP’s level of compliance and the severity of the incident.
Organisations that fail to comply may also face other consequences, such as revenue loss and long-term reputational effects.
Download our free infographic to find out more about DSP compliance requirements >>
The role of the ICO
The ICO, which is also responsible for regulating compliance with the GDPR and DPA (Data Protection Act) 2018 in the UK, is the competent authority for UK DSPs, and monitors how they comply with the NIS Regulations’ requirements.
The ICO has listed various ways in which it will enforce the Regulations:
- Notices for requests of certain information.
- Enforcement notices that instruct an organisation on what steps/actions to take or not to take.
- Issue financial penalties for non-compliance.
- Carry out audits itself, nominate a third party to carry out the audit or request the DSP arrange one.
The ICO is only expected to act if a DSP is suspected of non-compliance with the Regulations; for instance, after a disruptive incident has occurred.
A cyber resilience programme combining information security management, incident response and business continuity management can enable an organisation to identify and avoid being heavily impacted by disruptions.
Implementing a cyber resilience programme aligned to international standards is an effective way for DSPs to comply; the NIS Regulations and Implementing Regulation also say that DSPs must take “compliance with international standards” into account when implementing appropriate measures.
To ensure that your cyber resilience programme is robust and in line with international best practice, we recommend basing your project on the following:
- ISO 27001 – information security management
- ISO 27035 – information security incident response
- ISO 22301 – business continuity management