Introduction
Background
Key amendments


Introduction

The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 were made on 15 December 2021 and came into force on 12 January 2022.

The new regulations address EU-exit related deficiencies in the retained EU legislation regulating the security of network and information systems of core UK service providers. The deficiencies mainly relate to the parameters that determine when digital service providers must report cyber incidents which are set out in retained EU law at levels appropriate for the European Union as a whole but not for the United Kingdom now it is a standalone nation.

The instrument also makes minor textual adjustments to the security requirements of digital service providers to reflect the United Kingdom's position outside of the European Union.

Background

Currently, under the Network and Information Systems Regulations 2018 (the NIS Regulations), which implement the NIS Directive,(1) digital service providers are obliged to notify the information commissioner of incidents that have a "substantial" impact on their ability to deliver services.

The NIS EU Commission Implementing Regulation (the NIS EU Implementing Regulation)(2) supplements the NIS Regulations by, among other things, setting out the parameters that digital service providers must consider when determining whether an incident has had a substantial impact on the provision of its services. The parameters were set out in this way rather than in guidance issued by the competent authority because digital service providers operate across multiple member states and so need to be regulated on an EU-wide basis by a single member state (the one hosting the digital service provider's headquarters).

When the United Kingdom left the European Union, UK laws implementing EU directives and EU regulations that were directly effective in the United Kingdom (including the NIS Regulations and the NIS EU Implementing Regulation) were preserved as "retained EU law" by virtue of the EU (Withdrawal) Act 2018 (EUWA). The EUWA also gave ministers the power to amend retained EU law to prevent, remedy or mitigate any failure of such law to operate effectively in the United Kingdom.

Key amendments

The new 2021 regulations amend the NIS EU Implementing Regulation to reflect the fact that the United Kingdom is no longer part of the European Union, but a standalone nation. The amendments are needed because the reporting thresholds under the NIS EU Implementing Regulation are set by reference to the number of the EU population affected, which is generally too high to trigger reporting in the United Kingdom. This results in the competent authority for digital service providers, the information commissioner, not being sighted on cyber incidents that have caused disruption to the service provided by the digital service providers.

The main correction is the removal of article 4 of the NIS EU Implementing Regulation, which contains the defective reporting thresholds. In the future, the thresholds will be set by the information commissioner in guidance. Provision has been added at regulation 12 of the NIS Regulations to ensure that digital service providers have regard to the information commissioner's guidance (which will be issued under existing powers at regulation 3(4) of the NIS Regulations) when determining whether to report an incident. There is no express duty on the information commissioner to issue guidance on reporting thresholds, but the information commissioner has confirmed that it will do so and that such guidance will be in place when article 4 is revoked. The legislation would nonetheless work without guidance in place, although there would be less detail provided to help digital service providers determine when an incident has a "substantial" impact.

A textual amendment has also been made to article 3 of the NIS EU Implementing Regulation, which means digital service providers must consider the geographical impact of an incident across the United Kingdom rather than across EU member states.

The making of the new regulations follows government and Information Commissioner Office consultation processes.

For further information on this topic please contact Alan Owens at Wiggin by telephone (+44 20 7612 9612) or email ([email protected]). The Wiggin website can be accessed at www.wiggin.co.uk.

Endnotes

(1) 2016/1148/EU.

(2) 2018/151/EU.