The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • NIS is overseen by a number of ‘competent authorities’ that monitor different sectors. The ICO is the competent authority for RDSPs.
  • In many cases both OES and RDSPs are also data controllers and/or processors under the GDPR, meaning that the ICO also has regulatory functions in that context. .
  • The ICO has a range of enforcement powers that we can use where appropriate.
  • We can issue information notices that require you to provide us with certain information.
  • We can issue enforcement notices that require you to take, or refrain from taking, particular steps or actions.
  • We can issue monetary penalties if you contravene NIS, up to a maximum of £17 million in the most serious cases.
  • We also have powers of inspection – we can inspect you ourselves, appoint a third party, or require you to appoint a third party.

In brief

How is NIS enforced?

NIS is overseen by different ‘competent authorities’ whose general function is to monitor the application of the Regulations. The UK has chosen to create sector-specific competent authorities, with the ICO being responsible for overseeing relevant digital service providers.

Who are the other Competent Authorities?

A list of the Competent Authorities is included in Schedule 1 of NIS. With essential services, depending on the sector there may be different competent authorities within each part of the UK.

If you are an OES reading this guidance we encourage you to check the website of your competent authority for advice specific to your circumstances, including thresholds for identification and any specific security or incident reporting requirements.

What enforcement powers does the ICO have?

We have a range of actions that we can take, including;

  • information notices;
  • enforcement notices;
  • penalty notices; and
  • inspection powers.

Information notices

Under Regulation 15(3), the ICO may serve an ‘information notice’ (IN) on you where we reasonably require information to enable us to assess:

  • the security of your network and information systems; and
  • the implementation of your security policies, including any inspections conducted.

The IN will describe the information we require, the reasons why we require it, how you should provide it to us and the time period. If you don’t comply with an IN, we can issue you with an enforcement notice.

Enforcement notices

Under Regulation 17(2), we may serve an enforcement notice (EN) on you if we have reasonable grounds to believe you have failed to:

  • fulfil your security obligations under Regulation 12;
  • notify us of a security incident under Regulation 12(3);
  • comply with your notification obligations in Regulation 12(5);
  • notify the public about any incident, if we have required you to do so under Regulation 12(12);
  • comply with an Information Notice under Regulation 15; and
  • complying with the inspection requirements of Regulation 16(2) and (3).

If you don’t comply with the steps in the EN, you run the risk of the ICO imposing a penalty on you.

Inspections

Under Regulation 16(2), the ICO has the power to conduct an inspection to see if you have fulfilled your security obligations. Our inspection power allows us to:

  • conduct an inspection ourselves;
  • appoint someone to conduct an inspection on our behalf; or
  • require you to appoint someone approved by us to conduct an inspection.

You also have to take steps to assist the inspection, as listed in Regulation 16(3). These steps include:

  • paying for the ‘reasonable costs’ of the inspection;
  • co-operating with the inspector(s);
  • providing the inspector(s) with ‘reasonable access’ to your premises;
  • allowing the inspector(s) access to documents and information that may be relevant; and
  • allowing the inspector(s) access to any individual that may be relevant.

If you don’t take these steps, you run the risk of the ICO imposing a penalty on you.

Penalty notices

Regulation 18(2) gives the ICO the power to serve a penalty notice on you in certain circumstances. We will first serve you with an EN directing you to take certain steps. If you fail to take such steps, or we are not satisfied with your explanation as to why you do not need to take them, we may then issue a penalty notice.

The penalty notice will specify:

  • the reasons for imposing a penalty;
  • the sum that we are imposing;
  • the date of the notice;
  • the date by which you must pay the penalty;
  • how you can appeal against the notice; and
  • the consequences of failing to pay within the period specified.

Under Regulation 18(5) we are required to issue a penalty that is appropriate and proportionate to the failure. For more information on how the ICO undertakes regulatory action including imposing penalties, see our Regulatory Action Policy.

What are the levels of penalties?

There are different penalties depending on the nature of any ‘material contravention’. A material contravention is where you have failed to take steps within a particular time period to remedy any issues that we have identified, such as compliance with your security obligations.

Importantly, penalties in NIS are not just imposed if an incident takes place. You receive the penalty for the contravention, and this may include failure to comply with an EN or failure to co-operate with an inspection.

Penalty

Type of contravention

Up to £1,000,000

Any which we determine could not cause an incident, such as a failure to comply with an Information Notice or lack of co-operation with an inspection.

Up to £3,400,000

Any material contravention which we determine has caused, or could cause, an incident leading to a reduction in the provision of your service.

Up to £8,500,000

Any material contravention which we determine has caused, or could cause, an incident leading to the disruption of your service.

Up to £17,000,000

Any material contravention which we determine has caused, or could cause, an incident that results in a threat to life or in significant adverse impact on the UK economy.