At a glance
- The NCSC is the UK’s technical authority for cyber threats. It is part of the Government Communications Headquarters (GCHQ) and has several roles in NIS.
- It acts as the ‘computer security incident response team’ or CSIRT. This means it monitors incidents, provides early warnings, disseminates information, conducts cyber threat assessments and provides general technical support to competent authorities.
- It is also the ‘single point of contact’ (SPOC). In this role it receives information on NIS incidents from all competent authorities and co-ordinates with its counterparts in other Member States.
- The NCSC has published a ‘NIS guidance collection’, primarily for OES.
In brief
What is the National Cyber Security Centre (NCSC)?
The NCSC is the UK’s ‘technical authority’ for cyber incidents. It is part of GCHQ, one of the UK’s security services, and was formed in 2016 to provide a unified national response to cyber threats. It was created out of a number of pre-existing organisations which included:
- GCHQ’s ‘Communications-Electronics Security Group’ (CESG), which was the national technical authority for information assurance and advises organisations on how to protect their network and information systems from threats;
- CERT UK, the former a computer security incident response team;
- the Centre for Cyber Assessment (CCA), also part of GCHQ, responsible for providing cyber threat assessments to UK government departments; and
- the cyber functions of the Centre for the Protection of the National Infrastructure (CPNI).
The UK’s National Cyber Security Strategy 2016-2021 outlines the Government’s intent behind setting up the NCSC. The strategy will also be used as the ‘NIS national strategy’ as required under Regulation 3.
What role does the NCSC have?
NIS does not mention the NCSC by name – a number of functions are assigned to GCHQ itself. These are carried out by the NCSC. It acts as the ‘single point of contact’ (SPOC) and ‘computer security incident response team’ (CSIRT).
Single point of contact (SPOC)
The SPOC’s role largely concerns cross-border co-operation where incidents affect more than one Member State. It also produces reports on incident notifications.
Regulation 4 of NIS designates the NCSC as the SPOC. It is required to:
- liaise with SPOCs, CSIRTs and competent authorities in other countries to ensure cross-border co-operation;
- consult and co-operate with relevant law enforcement authorities; and
- co-operate with the competent authorities when they undertake enforcement actions.
The SPOC must also submit reports to a ‘Cooperation Group’ at European level. These are based on annual reports that competent authorities provide to the SPOC about the number and nature of any NIS incidents.
Computer Security Incident Response Team (CSIRT)
NIS assigns the CSIRT a range of functions. Regulation 5 designates the NCSC as the CSIRT. In this role, it is required to:
- monitor incidents;
- provide early warning, alerts, announcements and dissemination of information about risks and incidents;
- respond to incidents notified to it by competent authorities;
- provide dynamic risk and incident analysis and situational awareness;
- participate in the ‘CSIRTs network’ at European level;
- establish relationships with the private sector;
- promote the adoption and use of common or standard practices for incident and risk handling procedures, and incident, risk and information classification schemes; and
- co-operate with the competent authorities when they undertake enforcement actions.
Competent authorities may share information with the NCSC where this is necessary for the requirements of NIS. This has to be limited to information that is ‘relevant and proportionate’ to the purpose of the sharing.
Under Regulation 12(8), the ICO is also required to share incident notifications with the NCSC as soon as reasonably practicable.
How does this relate to the ICO’s functions in respect of the UK GDPR?
For most organisations, only the UK GDPR will apply. If you are not an OES or an RDSP, then you have no NIS obligations. However, for OES and RDSPs both laws may apply at the same time.
The ICO is the UK’s supervisory authority for the UK GDPR, with powers and functions as specified in that legislation. This means that wherever organisations covered by NIS also process personal data, we have a different, yet related, set of regulatory functions.
The NCSC is the UK ‘technical authority’ for cyber issues. Although it does not have a regulatory function in respect of the UK GDPR, where cyber breaches take place there is a clear link between what we do in enforcing the GDPR and what the NCSC does in the wider ‘cyber landscape’.
The NCSC’s specific functions under NIS, coupled with the ICO’s role as the competent authority for RDSPs, simply serve to reinforce this link.
The UK Government’s ‘Cyber Security Regulation and Incentives Review’ in 2016 stated that the UK GDPR would be the main means by which ‘cyber hygiene’ in the UK economy would be improved, in concert with NIS for OES and RDSPs. The review also outlined the Government’s intent for the ICO and the NCSC to collaborate, given the overlap in the legislation.
Since then, the ICO and the NCSC have worked closely together on both NIS and the UK GDPR, and we expect continued collaboration in the future.
What guidance has the NCSC released about NIS?
The NCSC has developed the Cyber Assessment Framework or CAF, which is intended for use by organisations that operate within UK critical national infrastructure (CNI) as well as operators of essential services under NIS.
The CAF consists of 14 cybersecurity and resilience principles, along with guidance on how to apply them. The principles are aimed at helping organisations achieve and demonstrate an appropriate level of cyber resilience in the context of the essential services they provide.
The principles define top-level outcomes that describe good cybersecurity for organisations that perform essential functions.
The CAF is designed primarily for operators of essential providing CNI. However, if you are an RDSP, the principles-based approach in the CAF may still assist you when determining and evaluating your security measures.