Despite coming into effect over a year and a half ago, there is still widespread lack of awareness of the Network and Information Systems Regulations 2018 (“Regulations”) (which implement, in the UK, the EU Network and Information Systems Directive 2016, often referred to as the ‘Cybersecurity Directive’).
This is not surprising – the Regulations have a relatively narrow scope and came into effect when most organisations were in the throes of preparing for the GDPR. However, there are potentially significant consequences for non-compliance and, as GDPR compliance regimes become more established, organisations (and regulators) will be able to turn their attention to other issues, including the Regulations.
So, for those not too (or at all) familiar with the Regulations, here are the key take-aways (including what will happen after Brexit):
1.Application: The Regulations aim to improve the security and continuity of critical infrastructure and essential services that rely on network and information systems (networks, devices and digital information). So, to prevent the type of disruption that we saw caused by the 2017 Wannacry ransomware attack or 2016 attacks on US water utilities.
They apply to:
- “operators of essential services” (“OES’”) – organisations that provide services critical for society at large and the economy (services such as drinking water and utility supplies, airport operation and healthcare services), that are reliant on network and information systems and that satisfy certain thresholds (detailed in the Regulations and to ensure that the focus is on the most significant suppliers); and
- “relevant digital service providers” (“RDSPs”) – organisations that provide online marketplaces, online search engines and cloud computing services (which are all defined further in the Regulations) in the UK.
2.Registration: OES’ and RDSPs are required to register with their “competent authority”. For OES’, their competent authority depends on the sector and area in which the organisation operates (e.g. The Secretary for State for Health for a healthcare OES in England and The Welsh Ministers for one in Wales). For RDSPs, this is the ICO. This should generally happen straightaway if an organisation is already an OES or RDSP or within 3 months after it becomes an OES or RDSP.
3.New security and notification requirements: The Regulations require organisations to: (i) comply with additional security requirements to protect against risks to and minimise incidents in respect of network and information systems used to provide the relevant services; and (ii) to notify regulators of certain incidents that impact those services.
- The requirements apply to both OES’ and RDSPs, although the specific requirements vary slightly depending on whether the organisation is an OES or an RDSP and are generally not as stringent for RDSPs.
- At a high level, OES’ must adhere to 14 outcome based security principles set by the National Cyber Security Centre and RDSPs must adhere to the terms of an associated EU regulation.
- OES’ must notify their competent authority of incidents having a significant impact on their relevant services. RDSPs must notify the ICO of incidents having a substantial impact on their relevant services. Further, an OES that uses an RDSP to provide its relevant services must also notify its competent authority if an incident affecting the RDSP has a significant impact the continuity of the OES’ relevant services (in addition to the RDSP notifying the ICO if the incident has a substantial impact on its relevant services).
- The wording and processes of the Regulations are, at first glance, very similar to those of the GDPR (e.g. “appropriate and proportionate technical measures” must be taken by OES’ and incidents must be reported without undue delay and within 72 hours)
However, a GDPR compliant security and incident reporting regime will not necessarily be compliant with the Regulations. The Regulations have a different focus (network and information systems, not personal data) and apply different requirements (e.g. implementation cost cannot be taken in account by RDSPs when assessing the security measures to be implemented). Further, the very nature of the relevant services arguably requires a more robust regime because of the potentially more significant impact of incidents on the economy, individual welfare or society more generally.
Under the Directive, RDSPs that do not have a head office or establishment in the EU, must also appoint an EU representative.
4. Fines of up to £17m: Per the GDPR, fines for non-compliance can be up to £17m. However, unlike the GDPR, fines are tiered based on the materiality and effect of the non-compliance. So:
- the highest level of fine of up to £17m is reserved for material contraventions resulting in an immediate threat to life or significant adverse effect on the economy;
- fines of up to £8.5m and £3.5m can be applied for material contraventions resulting in service disruption or service reduction (respectively) lasting a significant period of time; and
- fines of up to £1m can be applied to contraventions that do not result in an incident affecting network and information systems (e.g. a failure to comply with an information notice).
Significantly, fines under the Regulations are in addition to GDPR fines. This means that, if a single event results in a breach of the Regulations and GDPR (e.g. a security failure), an organisation could be fined separately under both regimes. The ICO and the relevant competent authority (if different) must co-operate, which may reduce this risk. However, they will be free to undertake their own responses and the UK Government has been very clear that multiple fines may be appropriate for the same event as they may relate to different aspects of wrongdoing and different impacts.
Further, where an organisation also offers services in other EU member states and, an event impacts those other EU member states, an organisation (particularly OES’) may also be fined under their equivalent regime.
5. Brexit: Finally, the Regulations will continue to apply after Brexit (with some amendments).
The most significant change for UK based RDSPs who do not currently have a head office or establishment in another EU member state but who offer services to other EU member states, is that they will need to appoint a representative in another EU member state (as confirmed by the ICO in October). This should be an EU member state into which it offers its relevant services.
Similarly, RDSPs without a UK head office will need to appoint a UK representative and provide their details to the ICO (within 3 months after Brexit or, if later, of becoming an RDSP).
In both cases, this opens the RDSP up to dual regulation (in the UK and the EU member state where it appoints its representative). So, if the RDSP has multiple options as to where to appoint its new EU representative, it should carefully consider the local NIS regime (particularly as fining powers vary significantly between EU member states).