To be or not to be: do the Network & Information Systems Regulations apply? Who is affected by the NIS Regulations and what are the consequences?

Quietly and with little publicity, new regulations relating to computer security will come into effect on Thursday, 10 May.  The regulations are another piece in the jigsaw of European law seeking to make the internet a more secure environment for consumers and businesses.  Closely related to the General Data Protection Regulations (GDPR) they also include equally eye-watering penalties for non-compliance.   

The Network & Information Systems Regulations 2018 give effect in the UK to EU Directive 2016/1148. The regulations are focussed on ensuring that information systems used to process data and control infrastructure and to transmit information are secured against cyber-attacks.  The regulations will become increasingly important as more devices are connected via the internet.

The regulations apply to two groups: operators of essential services (OES) and digital service providers (DSP).  They also set out requirements for the regulatory bodies needed to monitor and govern the operation of the regulations and, critically, to liaise with regulatory bodies in other members states in the event that a cyber-attack, as they frequently do, have a multi-jurisdictional impact.

Identification of organisations categorised as an OES is reasonably straightforward; the regulations set out extensive descriptions of the qualifying features.  The regulations also allow the relevant regulatory bodies to request information from an organisation to determine whether it does or should be qualify.

As the name suggests, OES’s are organisations providing critical services, and applies to the energy, transport, health and utility sectors and to providers of digital infrastructure.  DSPs are identified as providing services relating to “online marketplaces”, “online search engines” and “cloud computing services”.  DSPs must also meet location and size qualifications. 

Unfortunately, it is not so easy to determine whether an organisation qualifies as a DSP and organisations are also required to self-determine whether the regulations apply. The Information Commissioner, as the relevant regulatory body for DSPs, will produce guidance but it does not have the same right to request information and determine whether an organisation qualifies as a DSP.  

Given the significant penalties available for a failure to comply with the regulations, the incident reporting obligations and the cost of compliance, there are reasons why organisations might seek to distinguish their operations in a manner similar to the distinction drawn by some ISPs over their role in the publication of online content.

The regulatory bodies are required to maintain a register of the organisations for which they have responsibility.  DSP’s are required to notify the Information Commissioner by 1 November 2018, or within 3 months of meeting the criteria after that date.  OES’s must do so by 10 August 2018.  Naturally, the relevant regulatory bodies are entitled to charge a fee, though the fee structure has not been published yet.

Organisations are required to take appropriate and proportionate measures to ensure the security of the network and information systems on which their respective services depend.  They must notify their relevant regulatory body within 72 hours of when they become aware that an incident has occurred and take measures to prevent and minimise its impact.

A key concern relating is the overlap the regulations have with GDPR and the risk that an organisation may incur a fine under both in respect of the same breach of security. DSPs may obtain some comfort that the Information Commissioner is the relevant regulatory body for both regulations, an advantage not afforded to OES’s. 

The arrival of the regulations has been overshadowed by the greater prominence given to GDPR.  Whilst the actions required to ensure security of personal data will help to achieve compliance, it is not the whole picture.  A lack of awareness and a lack of clarity in application may leave some DSPs exposed to claims and penalties. 

This article was first published in the New Statesman, 10 May 2018