On 10 October 2017, the Information Commissioner published a response to the European Commission’s consultation on a draft Implementing Regulation pursuant to Article 16(8) of the NIS Directive ((EU) 2016/1148) on digital service providers (DSPs) and network security. In this response, the Information Commissioner recognised the imperative of ensuring the security of network and information systems and the essential and business services they support, and considered that her office possesses experience which may be valuable in regulating the security of certain data processing systems and in particular the activities of DSPs.

The Information Commissioner resolved that “setting overly rigid parameters for the determination of an impact that is substantial (in accordance with Article 16(4) of the Directive), may be undesirable and might lead to a failure to report incidents which nevertheless have a substantial impact on the users of the service and which should, be considered for regulatory action.”