The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).

The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.

While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.

Background

The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:

  • Cloud service providers
  • Online market places
  • Search engines

The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).

Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP.

The Information Commissioner’s comments

The Information Commissioner’s comments focussed on how the Implementing Regulation proposes to determine whether an event has had a ‘substantial impact’ on the services of a DSP and, as such, should be notified to them. The Information Commissioner had a number of recommendations and comments, including:

  • Cautioning against referencing a specific number of affected users or the length of time a service was unavailable as being the determining factors of whether an incident should be notified. Currently, the notification threshold is set at 100,000 users and 5 million user hours.
  • Recommending that it would be more useful if the obligation to notify focussed on the magnitude of the effect for the users of the service. For example, interruption to a more critical service should be notifiable at a lower level of interruption and, likewise, less business-critical services could tolerate a higher level of interruption.
  • Suggesting that if numeric values to thresholds are to be used in the Implementing Regulation, then these values should be indicative values only, not formal thresholds.
  • Suggesting that the assessment of whether an incident is ‘substantial’ should not solely refer to the ‘availability’ of a service. If a service is ‘disrupted’ to the extent that it runs so slowly that is unusable, then it ought to be considered unavailable for the purposes of the Implementing Regulation.
  • Recommending including a requirement to notify where a series of incidents within a notional period of time cumulatively amount to a ‘substantial impact’ on the provision of a service, even if none of the individual incidents would meet the threshold.
  • Suggesting that it was unnecessary to determine an incident as being ‘substantial’ just because it affected the provision of services in two or more Member States (Article 4(e), Implementing Regulation). The Information Commissioner also noted that many digital services are multinational in nature, and this would potentially have the unintended effect of triggering a notification event for minor incidents.

Comments

The Information Commissioner’s comments demonstrate her pragmatic approach to incident notification under the NIS Directive. The consultation period for the Implementing Regulation closed 11 October 2017, and the EU Commission has not yet commented on when we can expect a revised draft.

It remains to be seen whether the Information Commissioner’s comments will be incorporated by the European Commission in the final form of the Implementing Regulation, and organisations will need to keep an eye out for further updates.

Member States will have until 9 May 2018 to implement the NIS Directive into their national laws. As discussed in our previous blog, the UK government has announced that it intends to implement the NIS Directive regardless of Brexit, and is currently consulting on its implementation.