The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • You are required to notify the ICO of any incident that has a substantial impact on the provision of your services.
  • When assessing whether you need to notify, you have to take into account a number of factors, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
  • The DSP Regulation provides further details on thresholds and parameters relating to these factors.
  • You must notify the ICO without undue delay and not later than 72 hours of becoming aware of any incident, where feasible.
  • We have developed a reporting tool that you can use to notify us of NIS incidents. You should also consider notifying the National Cyber Security Centre at the same time.

In brief

What is a NIS incident?

Regulation 1(1) of NIS defines an ‘incident’ as:

‘Any event having an actual adverse effect on the security of network and information systems.’

Read in conjunction with the definition of ‘security of network and information systems’, this is broadly in line with existing standards in information security, such as the definition of ‘incident’ within NIST Special Publication 800-53:

‘An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system’

Is a NIS incident the same as a personal data breach under the UK GDPR?

Not necessarily. NIS concerns computer systems and the digital data stored and processed within them. The UK GDPR concerns the processing of personal data.

The digital data is that which is connected to the operation, use and maintenance of your digital service. However, this may include personal data. Also, the NIS incident may itself lead to a personal data breach, depending on the type of attack. The NIS incident may be the initial intrusion that disrupts your service, whilst the personal data breach could follow as a result of that intrusion.

In practice, it depends on the circumstances. However, if a personal data breach does occur, you have to notify the ICO under the UK GDPR, not NIS. Our NIS reporting tool allows you to specify whether personal data has also been compromised in an incident.

We have provided more information on the links between the UK GDPR and NIS in the next section of the guide.

Further reading

Read the section of this guide on the relationship between NIS and the UK GDPR.

Our breach reporting page includes a reporting tool allowing you to notify us of any NIS incident. The tool also allows you to indicate if the incident also involved personal data.

When must we notify the ICO of a NIS incident?

You are required to notify the ICO of any incident without undue delay and not later than 72 hours of becoming aware of it. This broadly aligns with the reporting requirements for personal data breaches under the UK GDPR. 

Only RDSPs are required to notify the ICO of a NIS incident. If you are an OES, you need to notify the competent authority for your sector.

What information must we provide?

Regulation 12(5) specifies that your notification must include:

  • your organisation’s name and the types of digital service(s) you provide;
  • the time the incident occurred;
  • the incident’s duration;
  • information about the incident’s nature and impact;
  • information about any cross-border impact; and
  • any other information that may assist the ICO.

The information about any cross-border impact must be sufficient to enable us to determine its significance.

We understand that in the immediate aftermath of an incident, you may not have all the necessary information required and will only learn this as your investigation unfolds. However, you still have to notify us that an incident has taken place. You can follow up with additional information resulting from your investigation as it becomes available and without undue delay.

We have developed a reporting form for you to use to report a NIS incident. It includes fields to fill in with all of the above information.

How do we determine if we need to notify?

You need to assess whether the incident caused a ‘substantial impact on the provision’ of your digital service(s) in order to decide if you need to notify.

Regulation 12(7) provides further details on how you can make this determination. When determining the impact of an incident you must take into account:

  • the number of users affected by the incident, in particular those relying on the service for the provision of their own services;
  • the duration of the incident;
  • the geographical spread with regard to the area affected;
  • the extent of the disruption of the functioning of the service; and
  • the extent of the impact on economic and societal activities.

You must also have regard to the incident thresholds we set out in this guidance.

Article 3 of the DSP Regulation provides further details on how you should consider factors such as number of users, duration, and extent of the disruption. Additionally, Article 3(6) says that when considering these factors, RDSPs:

‘shall not be required to collect additional information to which they do not have access’

It is important to note that these requirements only apply to RDSPs. If you are an OES, you should consult any relevant incident notification guidance from your competent authority.

What does the ‘number of users affected’ mean?

Article 3(1) of the DSP Regulation requires you to be in a position to estimate:

  • the number of affected persons you have a contract with (this includes both individuals and organisations); or
  • the number of affected users determined by reference to previous traffic data.

What does the ‘duration of the incident’ mean?

Article 3(2) of the DSP Regulation states that this refers to the period of time from the disruption of the service until its recovery.

You must assess the disruption on the basis of availability, authenticity, integrity and confidentiality of the digital data you process.

What does the ‘geographical spread with regard to the area affected’ mean?

Article 3(3) of the DSP Regulation clarifies that this refers to your ability to identify whether the NIS incident affects the provision of your services in other specific areas of the United Kingdom.

In practice, your service may be available UK-wide and therefore this factor may not always be relevant. However, if you provide digital services on a more local scale, you should assess the extent to which the incident affects the provision of your service in the areas you offer it.

What does the ‘extent of the disruption’ mean?

Article 3(4) of the DSP Regulation requires you to be able to measure whether the NIS incident has impaired one or more of the following:

  • the availability of data or related services;
  • the authenticity of data or related services;
  • the integrity of data or related services; and
  • the confidentiality of data or related services.

What does the ‘extent of the impact’ mean?

Article 3(5) of the DSP Regulation requires you to be able to conclude whether the incident has:

‘caused significant material or non-material losses for the users in relation to health, safety, or damage to property.’

You should reach this conclusion by indications such as the nature of your contractual relations with your customers (ie the type of customer your digital service serves) and, where appropriate, the potential number of affected users.

What thresholds apply?

When you assess the factors above, Regulation 12(7)(b) says you must also have regard to the thresholds this guidance details. These thresholds are where the ICO considers a NIS incident to have a significant impact on the provision of your digital service.

You should consider the impact of an incident to be substantial when at least one of the following thresholds is met.

Parameter Threshold
Availability

Your service was unavailable for more than 750,000 user-hours.

The term “user hour” refers to the number of affected users in the UK for a duration of 60 minutes.

Integrity, authenticity, or confidentiality

The incident resulted in a loss of integrity, authenticity or confidentiality of:

  • the data your service stores or transmits, or
  • the related services you offer or make available via your systems.
The loss affected more than 15,000 users in the UK.
Risk The incident created a risk to public safety, public security, or of loss of life.
Material damage The incident caused material damage to at least one user in the UK, and the damage to that user exceeded £850,000.

You are only required to notify the ICO where the incident meets one of these thresholds. However, we encourage you to provide voluntary notification reports of other incidents.

It is also important to understand that if the NIS incident results in a personal data breach, the UK GDPR’s breach notification requirements apply whether or not the incident meets one of these thresholds. This requires you to assess whether the personal data breach could result in a risk to the rights and freedoms of individuals.

This may mean you are required to notify the ICO of the personal data breach, even if you may not have to tell us about the NIS incident.

Further reading

Personal data breaches

Do we need to notify anyone else?

Although the ICO is required to share incident notifications with the National Cyber Security Centre, you should consider voluntarily reporting the incident to them as well. This is particularly the case if you determine that you require the NCSC’s support to manage the incident.

The NCSC will provide advice, guidance, and (depending on resources) support for incidents that:

  • may result in significant loss of data critical to the ongoing operation of your organisation;
  • disrupt essential services (if you are providing a digital service for an OES); or
  • indicate unauthorised access to, or the installation of malicious software on, key systems where you are unable to resolve these issues yourselves.

If you require this level of support, you should mark your report as ‘FOR ACTION’.

Our incident reporting tool provides further information on how you can notify the NCSC, including instances where you may not require direct support but wish to inform them of an incident so they can provide wider advice on cyber threats.

Depending on the nature of the incident, you may also wish to notify other organisations such as the National Crime Agency and Action Fraud.

Do we need to notify the public?

We may take the view that public awareness about a particular incident is necessary, eg for the public interest. In these cases we will consult with you first, but we may decide either to inform the public ourselves, or direct you to do so by means of an Enforcement Notice.

We will also consult the NCSC when making these decisions.

What are the notification requirements when an OES relies on an RDSP’s services?

An OES may rely on an RDSP to provide its essential service. An incident that has a substantial impact on the services RDSPs provide may therefore also have a knock-on impact on the continuity of the OES’s own services.

Regulation 12(9) says that where an OES does rely on an RDSP, the OES must notify its designated competent authority in writing about

“any significant impact on the continuity of the service it provides caused by an incident affecting the RDSP without undue delay”