Providing digital services: the effects of the NIS regulations 2018
With all the attention surrounding the implementation of the General Data Protection Regulation (GDPR) in May 2018, it is no surprise that the Network and Information Systems Regulations 2018 (NIS) slipped under the radar of many.
Implementing a European Directive, the NIS Regulations were intended to tackle the ever increasing threats to network and information systems. As discussed in our earlier article on data breach reporting, cyberattacks are becoming more frequent and organisations holding a high volume of information are particularly vulnerable. NIS aims to force certain organisations to better protect their systems by introducing new security requirements and incident reporting thresholds and in doing so, generally improve the functioning of the digital economy.
What is a ‘network and information system’?
A network and information system is essentially any computer system that is used to process digital data. This digital data can include personal data, which is why the NIS Regulations and the GDPR were drafted with one another in mind. And even if you fall outside the scope of the NIS Regulations, it is likely that you will be a data controller (and potentially a processor) under the GDPR, so you need to ensure your procedures for processing any personal data complies with GDPR. For more information, please see here.
Who do the Regulations apply to?
The NIS Regulations apply to two groups of organisations:
- Operators of essential services (OES)
- Relevant digital service providers (RDSPs)
What is an OES?
You will be an OES if you carry out services that are deemed critical to the economy and wider society. This can include critical infrastructure, such as water, transport, healthcare and digital infrastructure (domain name registries, domain name hosting providers or resolvers and internet exchange point operators over a certain size).
What is a RDSP?
You will qualify as such if you:
- are an online search engine, online marketplace, or a cloud computing service; and
- have your head office in the UK, or have nominated a UK representative; and
- have more than fifty staff; or
- have a turnover or balance sheet of more than ten million euros.
This therefore means that there is a small business exemption for digital service companies with fewer than fifty staff or a turnover and/or balance sheet of less than ten million euros.
If your company is part of a larger group, you need to include the whole organisation’s staff and turnover when assessing if NIS applies. So, say Company A employs 22 staff and has a turnover of four million, Company A would benefit from the small business exemption. But, if company A was the subsidiary of Company B, who employed 29 staff and had a turnover of six million, Company A would come under the scope of the NIS Regulations.
What if the NIS Regulations apply to me as a relevant digital service provider?
- Register with the ICO
As the competent authority for RDSPs, you should have registered with the ICO by 1 November 2018. nNotification can be done by email and must include the name of your organisation, the name of your service, the address of your head office and up-to-date contact details. It is free to register.
If you become an RDSP after 1 November 2018, you must register with the ICO within three months.
- Comply with the security requirements
You must identify and take appropriate and proportionate measures to manage the risks posed to the security of the network and information systems you rely on to provide the relevant digital services. These measures must:
- Be appropriate to the risk posed
- Prevent and minimise the impact of incidents with a view to ensuring continuity of services
- Take into account security of systems and facilities, incident handling, business continuity management, monitoring auditing and testing, and compliance with international standards. You must keep adequate documentation to demonstrate that you have complied with these security elements.
- Notify the ICO of incidents
This applies to incidents which result in a substantial impact on the relevant services. If a notice is needed, it must be made without undue delay and in any event, no later than 72 hours after you are aware that the incident has occurred.
In determining whether the impact is substantial, you must take into account the number of users affected (and the number of users relying on the service to provide their own services); the duration; the geographical area affected; the extent of disruption to functioning of the service; and the extent of impact on economic and societal activities.
The impact is likely to be substantial if:
- Unavailability exceeds 5 million user-hours;
- There is a loss of integrity, authenticity or confidentiality of data or services affecting more than 100,000 users;
- There is a risk to public safety, public security or of loss of life;
- There is material damage to at least one user exceeding €1 million.
The notice must include:
- Your name and the relevant services you provide;
- The time the incident occurred;
- The duration of the incident;
- Information concerning the nature and impact of the incident;
- Information concerning any, or any likely, cross-border impact of the incident and sufficient information to enable the ICO to determine the significance of any cross-border impact; and
- Any other information that may be helpful to the competent authority.
What happens if I do not comply with NIS?
If you are an RDSP, you will be regulated by the Information Commissioner’s Office (ICO). The ICO have the power to issue enforcement notices; inspect your premises and any relevant documents; and in the most serious cases, can issue penalties of up to seventeen million pounds.