Currently, incident reporting thresholds for digital services providers are set out in the NIS Regulations 2018 and the European Commission Implementing Regulation 151/2018. The thresholds were established when the UK was a member of the European Union (“EU”) and were set for a market size of 28 EU member states.
Now that the UK has left the EU, it recognised that there is a deficiency in the NIS legislation surrounding the incident reporting thresholds. In July 2021, the Government launched a call for views proposing the amendment of the current legislative provisions to enable thresholds to be set which are relevant to the UK market.
The Government proposes to lay a statutory instrument which would revoke Article 4, which sets out the thresholds, from the UK retained version of the European Commission Implementing Regulation 151/2018. This would allow the Commissioner, as the competent authority for digital service providers, to set the thresholds at a more appropriate level through guidance. Digital service providers would be required to have regard to these thresholds when determining whether they are required to notify the ICO of an incident under Regulation 12(3) of the NIS Regulations 2018.
We are consulting on potential approaches to thresholds that would be set out in the Commissioner’s guidance. We will then analyse the results and use the information provided to inform our assessment of the costs and benefits of the different options.
Please note the end date for the consultation has now been extended to the Thursday 14 October.