Summary: By 1 November 2018 many cloud service providers (CSPs) operating in the UK must register with the UK Information Commissioner’s Office (ICO) under the Network and Information Systems Regulations 2018 (‘NIS’).
Requirement to register
Under NIS, CSPs who offer cloud computing services to external customers and:
- have a head office in the UK (or a nominated representative in the UK); and
- are not a small or micro business (i.e. a business with fewer than 50 employees and an annual turnover of less than €10 million);
must register with the ICO by then.
NIS also cover providers of online marketplaces and online search engines, but this note addresses CSPs only.
NIS define a “cloud computing service” as “a digital service that enables access to a scalable and elastic pool of shareable computing resources” (reg. 1(2)). This is clearly intended to have effect as a broader definition than the (now standard) five essential characteristics of cloud computing contained in the US National Institute of Standards and Technology definition of cloud computing, at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
The NIS definition covers providers of ‘Platform as a Service’ and ‘Infrastructure as a Service’ solutions, but ‘Software as a Service’ cloud provision only to the extent that it is scalable and elastic and is a business-to-business service.
Main obligations under NIS
The two primary operational aims of NIS are to address the security of network and information systems and to ensure prompt reporting of serious cyber breaches by the digital service providers covered.
In addition to the registration requirement, those CSPs who are required to register with the ICO must also take appropriate and proportionate technical and organisational measures to manage risks to their systems as well as preventing, or minimising the impact of, incidents that affect the security of the systems and continuity of services. All such measures should be appropriate to the risks posed.
Although NIS use language that mirrors that used in the GDPR and the measures implemented as a result may be similar, if not identical, the two pieces of legislation are distinct. The GDPR focuses on personal data privacy, while NIS focus on security of network and information systems. Ensuring compliance with both is essential.
The specific obligations regarding the security measures to be put in place under NIS are further detailed in the EU DSP Regulation (Regulation 2018/151/EU). The security measures to be implemented must take into consideration:
- security of systems and facilities;
- incident handling processes and procedures;
- business continuity management;
- monitoring, auditing and testing; and
- compliance with international standards.
CSPs must retain documentation that evidences their compliance with the security measures, which the ICO may request during the course of an investigation.
CSPs registered with the ICO under NIS must notify the ICO without undue delay, and at least within 72 hours, of becoming aware of an incident that has a ‘substantial impact’ on the provision of the cloud services. The DSP Regulation sets out the thresholds and parameters for when an incident is to be considered as having a substantial impact. Considerations include the number of users affected, the duration of the incident, the extent of the incident’s impact and extent of the disruption on the provided services.
Consequences of non-compliance
Non-compliance with the obligations under NIS can result in the imposition of significant fines. Although not set at the same levels of those under the GDPR, fines can be set at a maximum of £17 million for the most serious of ‘material contraventions’.
In addition to the imposition of fines, the ICO has a wide range of other enforcement powers. These include:
- requests for information;
- issuance of enforcement notices requiring the recipient to take, or refrain from taking, certain steps; and
- conducting audits to assess compliance with NIS.
For further information on NIS and the requirements imposed on CSPs, please see the ICO’s guidance here. The European Union Agency for Network and Information Security has previously provided guidance on technical security measures for digital service providers, which can be found here. And the UK’s National Cyber Security Centre’s guidance can be found at https://www.ncsc.gov.uk/guidance/introduction-nis-directive.