The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • The GDPR and NIS address different things – the GDPR concerns personal data, whilst NIS concerns the security of systems.
  • However, there is considerable overlap between the two due to the GDPR’s provisions on security and the likelihood that most organisations covered by NIS will also be data controllers (or even data processors).
  • The ICO is the UK’s data protection regulator. This means that we already regulate both OES and RDSPs, but only in the context of data protection law where they are data controllers.
  • NIS requires OES and RDSPs to notify their competent authorities if an incident takes place. Where an incident is, or becomes, a personal data breach, then you also need to inform the ICO separately from our function as the competent authority for RDSPs.

In brief

Are NIS and the GDPR the same?

No. The two laws are intended to address different things. NIS concerns the security of network and information systems and the digital data within them whilst the GDPR concerns the processing of personal data.

Whilst security and data protection go hand in hand, they’re also not the same. In this sense, NIS is actually broader than the GDPR, as it covers ‘digital data’, which does not just include personal data but any data relating to the network and information system and its provision and continuity.

Additionally, ‘digital data’ by default means that any manual data is not covered by NIS, unlike the GDPR where manual data is covered where such data forms part of, or is intended to form part of, a  filing system.

At the same time, NIS applies to fewer organisations than the GDPR. Unless you are an OES or RDSP, NIS will not apply to you – your security obligations will instead come from the GDPR.

Does the ICO regulate OES?

Not in the context of NIS. Both OES and RDSPs are likely to be data controllers and in some cases data processors. Where personal data is processed, the ICO has a regulatory function – but this is enforcing the GDPR, not NIS.

In practice, there may be considerable overlap due to the GDPR’s security requirements and those of NIS. For example, the GDPR also includes the classic information security concept of the ‘CIA triad’. This means that there’s a much greater alignment between the requirements of the GDPR and the NIS Directive.

In more detail – ICO guidance

Read our section on security in the Guide to the GDPR.

Please note the GDPR applies to any organisation processing personal data. NIS only applies to OES and RDSPs.

Can a NIS incident also be a personal data breach?

Yes. Many, if not all, organisations covered by NIS are data controllers or data processors under the GDPR; additionally, it’s entirely possible that a NIS incident may be, or may become, a personal data breach as defined by the GDPR.

The NIS Directive recognises this in Recital 60, which says:

‘Personal data are in many cases compromised as a result of incidents. In this context, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle any personal data breaches resulting from incidents.’

Regulation 3(3)(f) of NIS specifies that competent authorities must:

‘consult and co-operate, as appropriate, with the Information Commissioner in addressing incidents resulting in breaches of personal data’

The reason for this is that in practice, personal data may be processed on network and information systems, particularly for both essential and digital services.

Firstly, whilst NIS concerns ‘digital data’ relating to the operation, use and maintenance of computer systems, this data could include personal data depending on the circumstances. This could mean that the NIS incident is also a personal data breach simultaneously.

Secondly, a NIS incident may lead to a personal data breach - for example, where a cyber-attacker has undertaken an initial attack on a service and subsequently compromises personal data that the service processes, such as customer information. The initial attack and its disruptive effect could comprise the NIS incident, whilst the subsequent unlawful access of personal data could comprise the personal data breach.

Example

An OES is subject to a cyber-attack that causes a substantial impact on the provision of its service. It reports this incident to its competent authority within 72 hours of becoming aware of it.

The OES then establishes that the incident also resulted to its customer database being unlawfully accessed by the attacker. This means that a personal data breach has also taken place, and the OES must notify the ICO of this in accordance with the GDPR’s requirements on breach reporting.

Not every NIS incident will cause a personal data breach. An easy way of comparing is to consider that, in information security terms, all personal data breaches are incidents, but not all incidents are personal data breaches.

In more detail – ICO guidance

Read our guidance on personal data breach notification in the Guide to the GDPR.

Who do we report to?

Depending on your circumstances, you may have to report an incident to both your competent authority (under NIS) and the ICO (under the GDPR). If you are an RDSP, our NIS incident reporting tool allows you to indicate whether personal data has also been compromised.

The GDPR is an entirely separate piece of legislation from NIS. If you are covered by NIS but are a controller or processor then the GDPR’s obligations apply to you in addition to your requirements under NIS. 

You may have to notify two separate regulators about the same incident – your NIS competent authority, and the ICO (if the same incident is also a personal data breach). You have to make both notifications without undue delay and within 72 hours of becoming aware, where feasible. If you are a data processor, you must notify your controller without undue delay so that it can notify the ICO within 72 hours, as required by the GDPR.

It is however possible that you may not know if the NIS incident is a personal data breach immediately. For example, after notifying your competent authority within 72 hours, your subsequent investigation discovers that the incident has also led to a personal data breach. At this point, you have 72 hours to notify the ICO.

Can we get fined twice – once for NIS and once for GDPR?

As the GDPR and NIS are separate laws, it is possible that you may be subject to regulatory action under both. However, any action might relate to different aspects of the incident and the potential infringements of the specific laws in question.

The ICO will work closely with other competent authorities and the NCSC so we will maintain a common approach. However, if a NIS incident is also a personal data breach, we have specific regulatory functions that we have to follow which are entirely separate to the NIS Regulations.

Any regulatory action we take, be it under NIS, the GDPR, or both, will be appropriate and proportionate to the failure identified.