The Network and Information Systems Regulations (the “NIS Regulations”) came into effect on 10 May and transpose into UK law the Directive on Security of Network and Information Systems. The NIS Regulations establish, amongst others, a set of threshold security requirements that apply to so-called operators of essential services (or “OES”)1 that rely on network and information systems.2 Certain requirements are also imposed on so-called “digital service providers”. Significant penalties (of up to GBP 17 million) can be imposed for breach of the Regulations.
The Regulations also provide for the establishment of designated “competent authorities” for specifically identified subsectors in relation to which OES provide essential services. One of these subsectors is digital infrastructure, and the Regulations designate Ofcom as the competent authority for that subsector. One of the duties imposed on Ofcom (and other competent authorities) under the NIS Regulations is the preparation and publication of guidance. On 8 May 2018, Ofcom published interim guidance for OES in the digital infrastructure subsector (the “Guidance”). Set out below is a brief description of the status of this Guidance and a summary of its main points. Some conclusions are also provided.
Status of the Guidance
The Guidance is interim only, and Ofcom expresses the expectation that it will evolve over time. Ofcom further states that, while the Guidance sets out the approach it would normally expect to take, it does not have binding legal effect and each case will be considered on its merits. For this reason, Ofcom recommends that OES seek their own independent legal advice that takes account of the facts in question.
Summary of the main points
a) OES designated for the digital infrastructure subsector
Under Regulation 8(1) of the NIS Regulations, a person is “deemed to be designated” (or automatically designated) as an OES where it provides an essential service as referred to in paragraphs 1 to 9 of Schedule 2 to the those Regulations which satisfies the prescribed threshold requirement. Any such OES must fulfil the security duties set out in Regulation 10 and the duty to notify incidents set out in Regulation 11.
The Guidance describes the following three categories of essential services (and the associated threshold requirements) that are established in Schedule 2 in respect of the digital infrastructure subsector.3 The first category is Top Level Domain Name Registries which service an average of two billion or more queries in 24 hours for registered domains. The second category is Domain Name System Service providers with an establishment in the UK which satisfy specific criteria as set out in paragraph 10 of Schedule 2 to the Regulations. The third category is Internet exchange point (“IXP”) operators who have 50% or more annual market share in the UK or who offer interconnectivity to 50% or more of global Internet routes.
The Guidance states that operators that fall into any of the three above mentioned categories on 10 May 2018 are required to notify Ofcom at the latest on 9 August 2018 (i.e. within three months). Any operators that fall into these categories after 10 May must register within three months of the date of falling into such category.
Ofcom also has the power under the NIS Regulations to designate an operator as an OES for the digital infrastructure subsector even if it does not fall into any of the three categories described in Schedule 2. This possibility, which is addressed under Regulations 8(3) and (4), is also described in the Guidance. Ofcom will maintain a list of all OES that have been designated/deemed to have been designated for the digital infrastructure sector. It will review this list on a biennial basis, with the first review expected prior to 9 May 2020.
As a final point, it is worth noting that a designated OES for the digital infrastructure subsector may, depending on its commercial activity, also qualify as a digital service provider and be therefore subject to parallel obligations under Part 4 of the NIS Regulations.
b) OES security and security incident reporting duties
The Guidance catalogues the substantive security requirements that apply in respect of designated OES under the NIS Regulations. Ofcom also notes that the measures to be taken in this regard must ensure a level of security appropriate to the risk presented “having regard to the state of the art”. Ofcom confirms that it would therefore have regard to the state of the art of such measures in any compliance assessment.
The Guidance also addresses the OES security incident reporting duties together with the Ofcom process requirements for such reporting. While the Guidance does not develop on the substantive incident reporting requirements, it does provide helpful guidance on the actual reporting process. In this regard, a specific email address (firstname.lastname@example.org) is provided for OES together with guidance on how information is to be provided (a link is provided to a NIS incident report form). Ofcom also clarifies in the Guidance that incident reporting to Ofcom should not be viewed as a substitute for reporting to other agencies which can provide for incident response. Similarly, if an incident is criminal in nature, the Guidance highlights that the appropriate law enforcement agency should be contacted.
The NIS Regulations require that an OES have regard to guidance issued by the competent authority when determining the significance of the impact of an incident. Accordingly, Ofcom has prepared a table in the Guidance setting out its initial view of the thresholds at which incidents occurring in the digital infrastructure subsector should be reported. This table is reproduced below. Ofcom recommends that, if there is any doubt as to whether or not a criterion is met, the OES should submit a report.
Table of specific reporting thresholds
The NIS Regulations are complex secondary legislation which carry significant financial penalties for breach. The Regulations represent entirely new duties for many of the designated OES in scope, although Ofcom has acknowledged that it will take time for these stakeholders to understand the practical application of their duties under the Regulations. Clear and comprehensive guidance from Ofcom (and the other designated competent authorities) is therefore very important.
Ofcom has done well to produce the Guidance in such a short timeframe (the NIS Regulations were made less than one month beforehand on 19 April 2018). It is hoped that this document will evolve over time, especially as Ofcom begins to apply and enforce the Regulations in practice. In the meantime, OES should bear in mind that the Guidance is interim only, and that each case will be considered on its merits. OES should therefore be mindful of Ofcom’s recommendation to seek independent legal advice to help them navigate this complex regulatory framework.