The Network and Information Security (NIS) Directive will be implemented into UK law on 9 May 2018 and requires Digital Service Providers (DSPs) to comply with specific security requirements and incident reporting obligations.

At the very end of January the EC issued its Implementing Act that sets out how the Network and Information Security (NIS) Directive should be implemented for Digital Service Providers (DSPs).

In March The UK Government - through the Department for Digital, Culture, Media and Sport - issued a consultation paper looking at how the NIS Directive will apply to DSPs in the UK. The closing date for responses is 29 April 2018.

There will not be much that is particularly surprising in the Implementation Act or the Consultation Paper to those who are familiar with NISD. However, it is our understanding that, of all those likely to be affected by the NIS Regulations, it is the DSPs who are least aware that they will have to deal with another heavy sanction associated with compliance obligation. This is over and above the sanctions they already face through NISD's more famous sibling, GDPR.

The headlines from the Consultation Paper:

  • No greater definition has been provided on who is a DSP. Digital Service Providers remain defined as operators of:
    • Online market places: a platform that acts as an intermediary between buyers and sellers facilitating the sale of goods or services and which represents the final destination for the conclusion of the relevant contracts (sites that redirect users to other sites where final contracts are made, such as price comparison sites, are not in scope)
    • Online search engines: services that allow users to search public parts of the world wide web
    • Cloud computing services - primarily:
      • Infrastructure as a Service
      • Platform as a Service
      • Software as a Service
  • The Information Commissioners Office (ICO) will be the Competent Authority for DSPs
  • It is likely that it will be mandatory for UK DSPs to register with the ICO following 10 May, 2018
  • No further statement is made on fines and so we expect no change from the £17m single maximum fine

Security measures for DSPs:

The anticipated security requirements for DSPs:

  • systematic management of network and information systems –
    • mapping policies, risk analysis, HR, security architecture, data and system life cycle management and encryption
  • physical and environmental security on an "all hazards" approach
  • security and traceability of critical supplies
  • access controls guarding availability of system and network

Expected incident handling requirements:

  • detection processes in place and tested regularly processes
  • policies on incidents and to identify weaknesses
  • established response procedures
  • the ability to assess incident severity and capture learning from incidents

Expected business continuity management requirements:

  • establishment and use of continuity plans that need to be regularly tested and assessed through exercises
  • disaster recovery capabilities in place
  • monitoring audit and testing

Points of note

  • It is possible to qualify as both an Essential Operator (EO) AND as a DSP and those who do will have to comply with those NIS Regulations in each role. There will be dual reporting requirements and presumably but not made express in the Consultation Paper the potential for dual fines.
  • The ICO likely to levy a fee on DSPs through its registration scheme to pay for its role.
  • Of all those likely to be affected by NISD we think it’s DSPs who will be most taken by surprise. Those furthest in the dark will be entities who don’t have any self-perception that they are a DSP at all as the requisite elements of being a DSP are an adjunct to their business. It’s these who will also stand the chance of being both EO and DSP compliance obliged.