Introduction to the NIS Regulations
The Network and Information Systems Regulations 2018 (“NIS Regulations”) rather quietly came into force in UK law on 10 May 2018, overshadowed by all the attention given to the General Data Protection Regulation (“GDPR”). However, for some organisations who must comply with both, paying attention to one and not the other carries risk. Both pieces of legislation carry hefty and independent penalties for non-compliance.
The NIS Regulations are the part of the Government’s National Cyber Security Strategy and is the UK implementing legislation for the EU Network and Information System Directive. Whilst the more widely known GDPR concerns the handling of personal data, the NIS Regulations concerns are much wider and are about ensuring system security, protection digital data (which may concern personal data) and ensuring business continuity. Its primary function is to protect the integrity of information used for essential services, provide mechanisms for sharing information between member states and put in place competent authorities and a Cyber Security Incident Response to oversee this.
For any organisations affected by the NIS Regulations, these can and should be a wake-up call to consider information and network security measures. It is worth noting that penalties under the NIS Regulations can be as high, the most serious penalty is up to £17 million for the most material contravention, and can be issued in parallel with any relevant fines under the GDPR.
Who do the NIS Regulations apply to?
The NIS regulations apply to two types of organisations: operators of essential services (OES); and relevant digital service providers (RDSPs).
Operators of Essential Services
OESs are organisations which operate what is considered to be critical infrastructure for the UK. The list includes organisations operating in the following sub-sectors: electricity; oil; gas; air transport; water transport; rail transport; road transport; healthcare; the supply of drinking water and distribution and; the digital infrastructure. Schedule 2 of the NIS Regulations sets out the exact requirements to be considered an OES. However, they generally have requirements relating to customer numbers of geographical range (the exception being the digital infrastructure services).
The duty imposed on an OES is to:
- take appropriate and proportionate technical and organisational measures to manage risks and prevent and minimise the impact of incidents affecting network security;
- have regard to state of the art (security guidance and practices); and
- have regard to relevant guidance issued by the relevant competent authority.
Each OES subsubsector has its own designated competent authorities. They must also take account of guidance from the National Cyber Security Centre (“NCSC”).
Relevant Digital Service Providers
RDSPs have similar duties imposed by the NIS regulations as OES in the sense that they have to “identify and and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide… services”. These include the following security requirements:
- ensure a level of security (having regard to state of the art);
- prevent and minimise the impact of incidents; and
- take into account the following: the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring auditing and testing; and (v) compliance with international standards. (i) the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring auditing and testing; and (v) compliance with international standards.
In the event of an incident, the RSDP primarily reports to the Information Commissioner as its competent authority.
RDSPs are organisations which:
- have a head office in the UK, or have nominated a representative in the UK;
- have more than 50 staff and a turnover or balance sheet of more than €10 million; and
- provide one or more of the following services.
An online marketplace
This is described as: “a digital service that allows consumers and/or traders […] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace” (Regulation 1 of the NIS Regulations).
For the avoidance of doubt, this does not include sites that redirect users to another site to conclude the sale, the use of classified ads, or where online retailers only sell to consumers on behalf of themselves.
An online search engine
A search engine must be able to search a range of websites based on keywords, a phrase or another input. Providing an online search engine does not include using another web search operators function on your website. For example, including a Google search bar on the site. It also does not include searching internally within the website.
A cloud computing service
This includes standard cloud computing models such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS), as well as hyrbid models. The key advice here (from the Information Commissioner) is whether the service ‘’enables access’ to a scalable and elastic pool of shareable computing resources’.
Organisations who are RSDPs within the NIS Regulations should have registered with the Information Commissioner by 1 November 2018. However, due to the lack of publication of the NIS Regulations, it is possible that many organisations may have missed this deadline. Nevertheless, it would be advisable to register as soon as possible as an attempt to avoid penalties for lack of registration.
For many that rely on business continuity for essential and/or digital services, this is a welcome piece of legislation to ensure cyber security standards are met and to protect business continuity in the age of the internet. It’s too bad that this doesn’t apply to giants such as Google or Microsoft’s Bing search engine because they don’t have a head office in the UK or a qualifying UK office.
For organisations who are affected by the NIS regulations, this shouldn’t impose further obligations that are far beyond what is considered good cyber security practice. The NIS regulations have also prompted a range of useful accompanying guidance from the Information Commissioner and the NCSC.