Cyber Security: The Network And Information Systems Regulations
Whilst overshadowed by GDPR, important cyber security regulations called The Network and Information System Regulations 2018 (NIS) came into force in May this year.
What is NIS?
NIS’s aim is to establish a common level of security for network and information systems, with the main focus being on cyber security.
Who does NIS apply to?
NIS applies to operators of ‘essential services’ (OES) and certain digital services providers (RDSP)
OES’s operate essential services to the economy and wider society (e.g. water, transport, energy, healthcare and digital infrastructure). NIS applies threshold criteria so not all organisations listed above will automatically be covered.
What is an RDSP?
RSPS’s provide specific types of digital services (e.g. online marketplaces, online search engines or cloud computing services).
Again RDSPs are subject to threshold criteria – being that an organisation has its head office in the UK (or has ‘nominated a representative’ here) and has 50+ staff and a turnover of €10m or more.
What does NIS require?
NIS’s key requirements can be broadly summarised as
- taking appropriate and proportionate measures to ensure the security of network and information systems;
- notifying regulators of incidents.
- Beyond the above NIS contains more specific obligations for OES’s and RDSP’s to comply with.
What are the reporting obligations?
Organisations must inform their regulator of NIS incidents ‘without undue delay’ and no later than 72 hours after an organisation is aware of an incident (closely matching the GDPR’s obligation to notify the ICO of certain data breaches).
Who are the regulators?
NIS does not stipulate a central regulator. Each sector has its own regulator. For example, Ofcom is the regulator in relation to digital infrastructure.
What are the sanctions?
NIS allows regulators to ask organisations for information and conduct inspections.
Where NIS failures occur regulators can also issue enforcement notices with steps an organisation needs to take.
NIS contains some eye-watering fines. The maximum fine under NIS is £17m for a ‘material contravention which has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy’.
Unlike GDPR, NIS only applies to certain organisations. However, the consequences of non-compliance have very strong teeth.
Organisations which could potentially be OES’s or RDSP’s should therefore consider whether NIS applies to them. Whilst the ICO is not an overall regulator, the ICO’s guide at https://ico.org.uk/for-organisations/the-guide-to-nis/ is a useful introduction.
For more information on NIS, please contact Tom Trowhill at email@example.com or on +44 (0)1892 506 342
For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw