The UK Network and Information Systems Regulations 2018 (NIS Regulations) come into force on 10 May 2018 to implement the EU Network and Information Security Directive (EU) 2016/1148 (NIS Directive).
The NIS Regulations establish a legal framework to impose security and notification obligations on:
- operators of essential services (OES) including electricity, gas, water supply, transport;
- relevant digital service providers (RDSP) being online search engines, online marketplaces and cloud computing service providers.
It is recognised that certain services are so fundamental to the functioning of the UK economy and society that a disruption to those services could cause significant damage. The purpose of the NIS Regulations is to require OES and RDSP operators to adopt appropriate and proportionate measures to improve the security of the network and information systems on which their services rely.
Unlike the GDPR, the NIS Regulations are service-specific rather than data-specific. The NIS Regulations focus on the security and continuity of a service and not the protection of data, although in practice there will be overlaps for any given security breach. The new law also requires the UK government to outline a strategy to provide strategic objectives and priorities on the security of NIS in the UK, and provides for GCHQ to play a role in monitoring security incidents.
Who needs to comply?
Operator of Essential Services
- Regulation 8 designates when an organisation is deemed to be designated as an "operator" of essential services, while Schedule 2 describes certain quantitative and qualitative threshold requirements for determining whether an essential service falls within the ambit of the legislation (including electricity, gas, air transport and water supply).
- An OES which meets the threshold requirement must notify the relevant Competent Authority by 10 August 2018, or within three months of falling within the definition. Competent Authorities also have the power to designate that an organisation is an OES if certain criteria are met.
Relevant Digital Service Providers
- RDSPs must self-identify to the Information Commissioner by 1 November 2018 if they provide the following kinds of services within the UK: "online marketplace", "online search engine" or "cloud computing services".
- The definition of RDSP only covers providers of digital services within the UK which are headquartered in the UK (or have nominated a representative established in the UK), and excludes micro or small businesses. This is because under the NIS Directive there is a 'one stop shop' concept for RDSPs which are required to notify in their Member State of main establishment.
The security obligations are not granular but set out high level requirements:
Both OES and RDSPs must notify their Competent Authority about any incident that has a significant impact on the continuity of the essential service, or relevant digital service, that it provides. Notifiable incidents are not limited a cyber breach; it could cover a physical event, such as a power failure that restricts or disrupts a relevant IT service. The relevant time period to notify is "without undue delay" and in any event no later than 72 hours after the operator or service provider is aware that the security incident has occurred.
The EC Implementing Regulation EU (2018/151) is highly prescriptive as to the parameters for determining whether an incident at a RDSP has a significant impact. Notification it is only required if the RDSP has access to information "which enables it to assess whether the impact of an incident is substantial". This is crucial as many RDSPs (e.g., cloud service providers) will not know the end-user profiles of their customers in order to assess the risk level of a given incident.
There is no obligation to notify the public although a Competent Authority may require you to do so.
A tiered system of fines will be introduced which will relate to the impact of the incident, up to a maximum of £17 million where a Competent Authority determines that an incident has caused, or could cause "an immediate threat to life or significant adverse impact on the United Kingdom economy".
GDPR and the NIS Regulations
The introduction of the NIS Regulations in the shadow of the GDPR (which comes into effect on 25 May 2018) appears to have minimised the attention given to a law that will impose security and notification requirements on hundreds of operators across the UK, with potential exposure to fines of up to £17 million. There is considerable overlap between GDPR and the NIS Regulations, and data controllers and processors may be subject to the requirements under both regimes. For example, a personal data security breach could trigger notification requirements under both the GDPR and NIS Regulations and in principle there could be a double jeopardy where an incident triggers both pieces of legislation.
It is clear that the significance and potential impact of the NIS Regulations must not be ignored. OES and RDSPs should ensure that their security strategies and policies comply with the new law.