At a glance
- NIS aims to address the security of network and information systems and the digital data they process. It applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs).
- OES include organisations that run services that are critical to the economy and wider society, such as water, transport, energy, healthcare and digital infrastructure.
- RDSPs include online search engines, online marketplaces and cloud computing services. They must have their head office in the UK, or have appointed a UK representative.
- Small and micro enterprises – those of fewer than 50 staff and a turnover of less than €10 million per year – are exempt from the RDSP definition. However, if a digital service is part of a larger group, this group’s size may need to be taken into account.
- RDSPs are required to implement appropriate technical and organisational measures to prevent and minimise the impact of incidents that affect their systems. These measures must be appropriate to the risk posed.
- The ICO will regulate RDSPs as their ‘competent authority’. We have a range of powers that we can use, including issuing monetary penalties of up to £17 million in the most serious cases. RDSPs are also required to register with us by 1 November 2018.
- If an RDSP suffers an incident that has a substantial impact on its service, it must notify the ICO within 72 hours of becoming aware of it.
- NIS has a number of overlaps with the General Data Protection Regulation (GDPR), such as in its security provisions as well as that most organisations covered will also be data controllers (and in some cases data processors).
- The National Cyber Security Centre (NCSC) will act as the NIS ‘single point of contact’ (SPOC) dealing with cross-border impacts, and the ‘computer security incident response team’ (CSIRT), which will monitor threats, provide early warnings and disseminate information.
What is NIS?
NIS stands for ‘the Network and Information Systems Regulations 2018’. It is derived from a European law (the ‘NIS Directive’) and is intended to establish a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.
Although NIS primarily involves cybersecurity measures, it is not solely about cybersecurity. NIS also covers physical and environmental factors.
NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guidance provides details on the requirements NIS places on RDSPs. Although aimed at DSPs, it may also be useful for OES.
The ICO is the ‘competent authority’ for digital service providers. We have a range of powers that we can use to enforce NIS, including issuing fines of up to £17 million in the most serious cases.
What are the key concepts?
NIS concerns the security of ‘network and information systems’. These are any systems that process ‘digital data’ for their operation, use, protection and maintenance. NIS requires these systems to have sufficient security to prevent any action that compromises either the data they store or any related services they provide.
As stated above, NIS targets two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs).
OES are organisations that operate services deemed critical to the economy and wider society. They include critical infrastructure (water, transport, energy) and other important services, such as healthcare and digital infrastructure.
RDSPs are organisations that provide specific types of digital services: online search engines, online marketplaces and cloud computing services. To be an RDSP, you must provide one or more of these services, have your head office in the UK (or have nominated a UK representative) and be a medium-sized enterprise.
There is a general small business exemption for digital services; if you have fewer than 50 staff and a turnover of less than €10 million then you are not an RDSP, and NIS does not apply. However, if you are part of a larger group, you may need to include the staff and turnover size of the group when assessing whether the small business exemption applies.
Which digital service providers are covered?
NIS only applies to ‘relevant digital service providers’ (RDSPs). You are an RDSP if you:
- provide one or more of an online search engine, online marketplace or cloud computing service;
- are not a small or micro business; and
- have a head office in the UK (or have nominated a UK representative).
You must provide your digital service to external customers – ie, individuals or organisations. If you maintain these services internally, NIS does not apply.
Online search engines are digital services that enable individuals to perform searches of all websites based on a particular query or search term. If you run a website that uses an embedded search, like Google Search, your site is not covered by NIS and you are not deemed to be an RDSP – it is the underlying search engine that is covered.
Online marketplaces are digital services that allow individuals or traders to conclude sales or service contracts with traders, either on their own website or by means of providing services to traders’ websites. Online retailers that sell directly to individuals on their own behalf are not covered.
Cloud computing services are digital services that enable access to a scalable and elastic pool of computing resources. If you provide ‘Platform as a Service’ (PaaS) and/or ‘Infrastructure as a Service’ (IaaS) solutions then you are covered by this definition. If you provide ‘Software as a Service’ (SaaS) you are also covered to the extent that:
- your service is scalable and elastic; and
- you are a business-to-business (B2B) service provider.
RDSPs will be required to register with the ICO by 1 November 2018. You need to tell us:
- the name of your service;
- the address of your head office, or that of your nominated representative; and
- up-to-date contact details, including email address and telephone number.
What are the security requirements?
If you are an RSDP, you are required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed. You must also prevent and minimise the impact of incidents that affect your systems so that the continuity of your service is not affected.
NIS has specific obligations for these measures, which are further detailed by an EU implementing act, Regulation 2018/151, known as the ‘DSP Regulation’ as it is specifically aimed at digital services.
Your security measures must take into account the following:
- the security of your systems and facilities;
- your incident handling processes and procedures;
- business continuity management;
- monitoring, auditing and testing; and
- compliance with international standards.
Many of these requirements align with the security provisions of the GDPR. It may also be the case that you are also a data controller, so the GDPR applies to you anyway.
You must also maintain documentation to evidence your measures. This also aligns with the accountability principle of the GDPR, and other provisions on documentation. We can request to see these records during any investigation or inspection.
We will provide further detailed guidance on these security requirements soon. In the meantime, guidance from the National Cyber Security Centre (NCSC) and the European Union Agency for Network and Information Security (ENISA) may assist you.
Who regulates NIS?
NIS will be overseen by a number of ‘competent authorities’ that will regulate specific sectors. The ICO will be the competent authority for RDSPs.
The ICO has a range of enforcement powers that we can use where appropriate:
- we can issue information notices that require you to provide us with certain information;
- we can issue enforcement notices that require you to take, or refrain from taking, particular steps or actions;
- we can issue monetary penalties for material contraventions, up to a maximum of £17 million in the most serious cases; and
- we also have powers of inspection – we can inspect you ourselves, appoint a third party, or require you to arrange one.
What is a ‘material contravention’?
A “material contravention” is defined at Regulation 18(7)(a) as:
‘a failure to take steps, or any adequate steps, within the stipulated time period to rectify a failing that is described in regulation 17(1)(a) to (d) or (2)(a) to (e)’
If you are an RDSP, Regulations 17(2)(a) to (e) are those that apply in this context. These are where:
- you fail to fulfil your security obligations under Regulations 12(1) and (2);
- you fail to notify us of a NIS incident;
- you don’t provide the required information when notifying as specified in Regulation 12(5);
- you fail to comply if we, or the NCSC, direct you to notify the public about an incident; or
- you fail to comply with an Information Notice issued under Regulation 15.
What are the incident notification requirements for RDSPs?
You are required to notify the ICO of any incident that has a substantial impact on the provision of your services.
When assessing whether notification is required, you have to take into account a number of factors, including:
- the number of users affected (including those who rely on your service for providing their own services);
- the duration of the incident;
- the geographical area affected;
- the extent of the disruption on the functioning of your service; and
- the extent of the incident’s impact.
The DSP Regulation provides further details on thresholds and parameters relating to these factors, and we will also provide further guidance on these soon.
You must notify the ICO without undue delay and not later than 72 hours after becoming aware of any incident.
You should also consider voluntarily reporting the incident to the National Cyber Security Centre (NCSC), particularly where you determine that you will require their support to manage the incident.
You may also need to consider notifying other organisations, such the National Crime Agency, Action Fraud and other relevant agencies.
To tell us about a NIS incident, please use our notification form.
How does NIS relate to the GDPR?
The GDPR and NIS address different things – the GDPR concerns personal data, whilst NIS concerns the security of systems. However, there is considerable overlap between the two due to the GDPR’s provisions on security and the likelihood that most organisations covered by NIS will also be data controllers (or even data processors).
The ICO is the UK’s data protection regulator. This means that we already have a regulatory function over both OES and RDSPs, but only in the context of data protection law.
NIS requires OES and RDSPs to notify their competent authorities if an incident takes place. Where these involve personal data, the GPDR’s notification requirements also apply. OES may therefore need to consider whether they also need to inform the ICO. This will however depend on the nature of the incident.
What is the role of the NCSC?
The National Cyber Security Centre or NCSC is the UK’s technical authority for cyber threats. It is part of the Government Communications Headquarters (GCHQ).
The NCSC will be the ‘single point of contact’ or SPOC. In this role it will receive annual reports of NIS incidents from all competent authorities and co-ordinate with its counterparts in other Member States.
It will also be the ‘computer security incident response team’ or CSIRT. This means it will monitor incidents, provide early warnings, disseminate information, conduct cyber threat assessments and provide general technical support to competent authorities.
The ICO will share incident reports with the NCSC in its capacity as the CSIRT. We will share these as soon as it is reasonably practicable to do so.
The NCSC has also published information on the relationship between it and the NIS competent authorities for OES.