NIS Regulations: Overlooked Cybersecurity Requirements

Cavan Fabris | Senior Manager | EY Law

Photo by Pixabay on Pexels.com

Cybersecurity Registration Deadline Looming

The Network and Information Security Regulations 2018 (“NIS”) are now in force in the UK. NIS has been somewhat overlooked whilst most clients and their professional advisors were focussing on GDPR compliance. Upcoming NIS registration deadlines and compliance requirements provide us an opportunity to approach the market and engage in new conversations with existing and new clients.

What is the scope of NIS?

NIS came into force in the UK on 10 May 2018 and is derived from the European NIS Directive (also known as the Cybersecurity Directive). NIS focusses on the security of network and information systems. This is in contrast to GDPR, which focusses on the protection of personal data held within network and information systems, although there is some overlap with GDPR.

Who does NIS apply to?

The Regulations apply to Operators of Essential Services (“OESs”) and Relevant Digital Service Providers (“RDSPs”).

What is an OES?

An OES is an organisation operating services deemed critical to the running of society and the economy, including utilities (energy, transport, water), healthcare and digital infrastructure (e.g. internet exchange points, domain name system service providers).

What is a RDSP?

Relevant Digital Service Providers are online marketplaces, online search engines and cloud computing services with an office or nominated representative in the UK, over 50 employees and an annual turnover of at least €10 million. Companies providing digital services and part of a larger group may still be subject to NIS if the group as a whole employs 50 or more individuals and has an annual turnover of €10 million.

  • Online search engines enable individuals to perform searches of all websites based on a particular query or search term. Websites using an embedded search function provided by another provider (e.g. an embedded Google search box within the website) are not subject to NIS.
  • Online marketplaces allow consumers and traders to conclude sales or service contracts, either on their own website or by means of providing services to traders’ websites. Online retailers that sell directly to individuals on their own behalf are not subject to NIS.
  • Cloud computing services are digital services that enable access to a scalable and elastic pool of computing resources. These include cloud service providers, and providers of services which run on the cloud such as PaaS, IaaS and SaaS providers.

 What are the requirements under the Regulations?

OES

  1. Registration with designated competent authority
  • An OES must register with its designated competent authority by 10 August 2018 if it meets the requirements as of 10 May 2018, or in any other case 3 months after it satisfies these conditions.
  • Security
  • An OES must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and systems on which the essential service relies.
  • An OES must also take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network, with a view to ensuring the continuity of services.
  • An OES is responsible for managing compliance with NIS across its supply chain.
  • Incident Notification
  • An OES must notify its designated competent authority about any incident which has a significant impact on the continuity of the essential service provided by that OES.
  • Significance of an incident is determined having regard to the following factors:
  • number of users affected;
  • duration of incident; and
  • geographical area affected.
  • Notification must be provided without undue delay and in any event no later than 72 hours after the OES becomes aware that an incident has occurred.

RDSP

  1. Registration with ICO

A RDSP must register with the ICO by 1 November 2018 if it meets the requirements as of 10 May 2018, or in any other case 3 months after it satisfies these conditions.

  • Security

An RDSP must take appropriate and proportionate measures to manage risks posed to the security of the network used to provide its services within the EU. These measures must:

  • ensure a level of security appropriate to the risk posed with regard to the state of the art;
    • prevent and minimise the impact of incidents affecting the network with a view to ensuring continuity of services;
    • assume responsibility for managing compliance with NIS across its supply chain, and
    • take into account additional elements including security of systems and facilities, incident handling, business continuity management and compliance with international standards.
  • Incident Notification

A RDSP must notify the ICO about any incident which has substantial impact on the provision of any of its digital services.

The parameters a RDSP should consider when assessing the substantiality of impact include:

  • number of users affected;
  • duration;
  • geographical area;
  • extent of disruption; and
  • extent of the impact on economic and societal activities.

Notification must be provided to ICO without undue delay and in any event no later than 72 hours after the RDSP becomes aware that an incident has occurred. It should also contain sufficient information to enable the ICO to determine the significance of any cross-border impact.

What are the penalties for non-compliance?

  • Possible enforcement actions include being inspected by the relevant competent regulatory authority for an OES or the ICO for a RDSP.
  • Potential fines of up to £17million.         

How do the Regulations work with GDPR?

  • GDPR deals with personal data, NIS addresses the security of networks and information systems.
  • GDPR-compliance therefore does not equate to compliance with NIS, the standards are different.
  • The notification requirements under NIS are stricter than under GDPR.
  • NIS requires OESs and RDSPs to take responsibility for security of networks and information systems provided by their supply chain.
  • It is possible for an entity to be fined under both NIS and GDPR for a single security incident where the company fails to meet its relevant obligations.