Digital service providers and the NIS Regulations
The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018.
The NIS Regulations, derived from the EU Directive on security of network and information systems (NIS Directive), apply to two main groups: digital service providers (DSPs) and operators of essential services (OES). The DSPs within the scope of the NIS Regulations are those that offer their services within the EU, and are headquartered in the UK or have nominated a UK-based representative.
DSPs have lighter security requirements than OES, due to the typically lower risk they present if there is a failure in service continuity. As such, their compliance will not be actively monitored by their regulator, the Information Commissioner’s Office (ICO).
What is a digital service provider?
The NIS Regulations list the following categories of DSP (NIS Regulations 2018, s. 1(2)):
Defined by the government as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found”.
Defined by the government as “a digital service that enables access to a scalable and elastic pool of shareable computing resources”.
Defined by the government as “a digital service that allows consumers and/or traders [as defined in Directive 2013/11/EU] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace”.
Are you required to comply with the NIS Regulations?
If you are a DSP, you will need to register with the ICO, the ‘competent authority’ for DSPs, by 1 November 2018.
The NIS Regulations do not apply to DSPs deemed a “small or micro enterprise” – organisations that employ fewer than 50 people and have an annual turnover and/or a balance sheet total of less than €10 million (around £8.8 million).
Consequences for non-compliance with the NIS Regulations
Each member state has set its own rules on financial penalties. In the UK, DSPs that are found to be non-compliant following an incident may be fined up to £17 million, excluding the costs of investigations to determine the cause of the incident. The level of fine will be assessed by the competent authority, and will vary depending on the level of compliance and severity of incident.
Organisations that fail to comply also put their organisation at risk of other consequences, such as revenue loss and long-term reputational effects.
Compliance requirements for DSPs
The Guide to NIS, published by the ICO, stipulates that DSPs are “required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems [and] must also prevent and minimise the impact of incidents that affect [their] systems so that the continuity of [their] service is not affected”. The Guide also refers to the more “specific obligations” set out by the EU-wide Implementing Regulation, which provides further clarity for DSPs on how they will be expected to comply.
The Implementing Regulation reiterates the need for a risk-based approach to ensure that DSPs properly address risks when implementing their compliance project. As such, DSPs should “perform assessment and analysis procedures” for associated risks.
When mitigating identified risks in line with the requirements of the NIS Regulations, DSPs should take into consideration:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards.
DSPs are expected to establish appropriate policies on matters such as:
- Human resources and the security of operation;
- The security architecture – particularly the segregation of networks and systems;
- The security of supplies; and
- Incident and weakness/vulnerability reporting.
The Implementing Regulation also highlights that DSPs are required to assess their physical and environmental security for risks such as natural disasters, and take this into consideration when executing their compliance project.
The most effective way for DSPs to meet compliance requirements is to implement a cyber resilience programme that encompasses effective information security and business continuity measures, as well as establish incident response measures.
Incident reporting measures under the NIS Regulations
In line with the EU’s General Data Protection Regulation (GDPR), organisations must report incidents that have a significant impact on their services to the ICO within 72 hours of becoming aware of the fact.
The Implementing Regulation outlines the metrics that DSPs must use to assess the scale of an incident, and DSPs are responsible for this assessment. DSPs must report incidents to the ICO if they involve:
- Service unavailability for over 5 million user hours in the Union;
- The loss of confidentiality, integrity, availability or authenticity of data accessed over networks or information systems, affecting over 100,000 users in the Union;
- The incident creates a risk to public safety, public security or loss of life; or
- The material damage to at least one user in the Union exceeds €1 million.
The role of the Information Commissioner’s Office
The ICO, which is also responsible for regulating compliance with the GDPR in the UK, has been assigned the competent authority for DSPs in the UK, and will monitor how DSPs comply with the requirements of the NIS Regulations.
DSPs must register with the ICO by 1 November 2018, and the ICO has listed various ways in which it will enforce the NIS Regulations:
- Notices for requests of certain information
- Enforcement notices that instruct an organisation on what steps/actions to take or not to take
- Issue financial penalties for issues of non-compliance
- Carry out audits themselves, nominate a third party to carry out the audit or request the DSP arrange one
The ICO is only expected to take action if a DSP is suspected of non-compliance with the requirements of the NIS Regulations; for instance, after a disruptive incident has occurred.
The NIS Regulations names the Government Communications Headquarters (GCHQ) as the the computer security incident response team (CSIRT) and the ‘single point of contact’ that coordinates responses and data sharing under the Directive’s requirements. The National Cyber Security Centre (NCSC) is part of GCHQ, and will be operating in both roles.
A cyber resilience programme combining information security management, incident response and business continuity management can enable an organisation to identify and avoid being heavily impacted by disruptions.
Implementing a cyber resilience programme aligned to international standards is the most effective way for DSPs to comply with the requirements of the NIS Regulations; the Implementing Regulation also recommends using international standards for guidance.
To ensure that your cyber resilience programme is robust and in line with international best practice, we recommend basing your project on the following:
- ISO 27001 – Information security management
- ISO 27035 – Information security incident response
- ISO 22301 – Business continuity management
How IT Governance can help you achieve compliance with the NIS Regulations
- We deliver the entire suite of consultancy, training and tools needed for NIS Regulations compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS Regulations compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We have multi-disciplinary teams that can perform rigorous penetration testing of your systems and networks, project managers to roll out compliance projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No organisation or project is ever too big or small.
- We offer clear and transparent pricing.
Speak to a NIS Regulations expert
Please contact our NIS Regulations team for advice and guidance on our products and services.