At a glance
- NIS is overseen by a number of ‘competent authorities’ that monitor different sectors. The ICO is the competent authority for RDSPs.
- In many cases both OES and RDSPs are also data controllers and/or processors under the UK GDPR, meaning that the ICO also has regulatory functions in that context.
- The ICO has a range of enforcement powers that we can use where appropriate.
- We can issue information notices that require you to provide us with certain information.
- We can issue enforcement notices that require you to take, or refrain from taking, particular steps or actions.
- We can issue monetary penalties if you contravene NIS, up to a maximum of £17 million in the most serious cases.
- We also have powers of inspection – we can inspect you ourselves, appoint a third party, or require you to appoint a third party.
In brief
- How is NIS enforced?
- Who are the other competent authorities?
- What enforcement powers does the ICO have?
- What are the levels of penalties?
How is NIS enforced?
NIS is overseen by different ‘competent authorities’ whose general function is to monitor the application of the Regulations. The UK has sector-specific competent authorities, with the ICO being responsible for overseeing relevant digital service providers.
Who are the other Competent Authorities?
A list of the Competent Authorities is included in Schedule 1 of NIS. With essential services, depending on the sector there may be different competent authorities within each part of the UK.
If you are an OES reading this guidance we encourage you to check the website of your competent authority for advice specific to your circumstances, including thresholds for identification and any specific security or incident reporting requirements.
What enforcement powers does the ICO have?
We have a range of actions that we can take, including;
- information notices;
- enforcement notices;
- penalty notices; and
- inspection powers.
Information notices
Under Regulation 15(3), the ICO may serve an ‘information notice’ (IN) on you where we reasonably require information to enable us to assess:
- the security of your network and information systems; and
- the implementation of your security policies, including any inspections conducted.
The IN will describe the information we require, the reasons why we require it, how you should provide it to us and the time period. If you don’t comply with an IN, we can issue you with an enforcement notice.
Enforcement notices
Under Regulation 17(2), we may serve an enforcement notice (EN) on you if we have reasonable grounds to believe you have failed to:
- fulfil your security obligations under Regulation 12;
- notify us of a security incident under Regulation 12(3);
- comply with your notification obligations in Regulation 12(5);
- notify the public about any incident, if we have required you to do so under Regulation 12(12);
- comply with an Information Notice under Regulation 15; and
- complying with the inspection requirements of Regulation 16(2) and (3).
If you don’t comply with the steps in the EN, you run the risk of the ICO imposing a penalty on you.
Inspections
Under Regulation 16(2), the ICO has the power to conduct an inspection to see if you have fulfilled your security obligations. Our inspection power allows us to:
- conduct an inspection ourselves;
- appoint someone to conduct an inspection on our behalf; or
- require you to appoint someone approved by us to conduct an inspection.
You also have to take steps to assist the inspection, as listed in Regulation 16(3). These steps include:
- paying for the ‘reasonable costs’ of the inspection;
- co-operating with the inspector(s);
- providing the inspector(s) with ‘reasonable access’ to your premises;
- allowing the inspector(s) access to documents and information that may be relevant; and
- allowing the inspector(s) access to any individual that may be relevant.
If you don’t take these steps, you run the risk of the ICO imposing a penalty on you.
Penalty notices
Regulation 18(2) gives the ICO the power to serve a penalty notice on you in certain circumstances. We will first serve you with an EN directing you to take certain steps. If you fail to take such steps, or we are not satisfied with your explanation as to why you do not need to take them, we may then issue a penalty notice.
The penalty notice will specify:
- the reasons for imposing a penalty;
- the sum that we are imposing;
- the date of the notice;
- the date by which you must pay the penalty;
- how you can appeal against the notice; and
- the consequences of failing to pay within the period specified.
Under Regulation 18(5) we are required to issue a penalty that is appropriate and proportionate to the failure. For more information on how the ICO undertakes regulatory action including imposing penalties, see our Regulatory Action Policy (pdf).