Report a NIS incident
Relevant Digital Service Providers need to notify the ICO of an incident under the NIS Regulations.
At a glance
- You are required to notify the ICO of any incident that has a substantial impact on the provision of your services.
- When assessing whether you need to notify, you have to take into account a number of factors, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
- The DSP Regulation provides further details on thresholds and parameters relating to these factors.
- You must notify the ICO without undue delay and not later than 72 hours of becoming aware of any incident, where feasible.
- We have developed a reporting tool that you can use to notify us of NIS incidents. You should also consider notifying the National Cyber Security Centre at the same time.
In brief
- What is a NIS incident?
- Is a NIS incident the same as a personal data breach under the UK GDPR?
- When must we notify the ICO of a NIS incident?
- What information must we provide?
- How do we determine if we need to notify?
- What does the ‘number of users affected’ mean?
- What does the ‘duration of the incident’ mean?
- What does the ‘geographical spread with regard to the area affected’ mean?
- What does the ‘extent of the disruption’ mean?
- What does the ‘extent of the impact’ mean?
- What thresholds apply?
- Do we need to notify anyone else?
- Do we need to notify the public?
- What are the notification requirements when an OES relies on an RDSP’s services?
What is a NIS incident?
Regulation 1(1) of NIS defines an ‘incident’ as:
‘Any event having an actual adverse effect on the security of network and information systems.’
Read in conjunction with the definition of ‘security of network and information systems’, this is broadly in line with existing standards in information security, such as the definition of ‘incident’ within NIST Special Publication 800-53:
‘An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system’
Is a NIS incident the same as a personal data breach under the UK GDPR?
Not necessarily. NIS concerns computer systems and the digital data stored and processed within them. The UK GDPR concerns the processing of personal data.
The digital data is that which is connected to the operation, use and maintenance of your digital service. However, this may include personal data. Also, the NIS incident may itself lead to a personal data breach, depending on the type of attack. The NIS incident may be the initial intrusion that disrupts your service, whilst the personal data breach could follow as a result of that intrusion.
In practice, it depends on the circumstances. However, if a personal data breach does occur, you have to notify the ICO under the UK GDPR, not NIS. Our NIS reporting tool allows you to specify whether personal data has also been compromised in an incident.
We have provided more information on the links between the UK GDPR and NIS in the next section of the guide.
Further reading
Read the section of this guide on the relationship between NIS and the UK GDPR.
Our breach reporting page includes a reporting tool allowing you to notify us of any NIS incident. The tool also allows you to indicate if the incident also involved personal data.
When must we notify the ICO of a NIS incident?
You are required to notify the ICO of any incident without undue delay and not later than 72 hours of becoming aware of it. This broadly aligns with the reporting requirements for personal data breaches under the UK GDPR.
Only RDSPs are required to notify the ICO of a NIS incident. If you are an OES, you need to notify the competent authority for your sector.
What information must we provide?
Regulation 12(5) specifies that your notification must include:
- your organisation’s name and the types of digital service(s) you provide;
- the time the incident occurred;
- the incident’s duration;
- information about the incident’s nature and impact;
- information about any cross-border impact; and
- any other information that may assist the ICO.
The information about any cross-border impact must be sufficient to enable us to determine its significance.
We understand that in the immediate aftermath of an incident, you may not have all the necessary information required and will only learn this as your investigation unfolds. However, you still have to notify us that an incident has taken place. You can follow up with additional information resulting from your investigation as it becomes available and without undue delay.
We have developed a reporting form for you to use to report a NIS incident. It includes fields to fill in with all of the above information.
How do we determine if we need to notify?
You need to assess whether the incident caused a ‘substantial impact on the provision’ of your digital service(s) in order to decide if you need to notify.
Regulation 12(7) provides further details on how you can make this determination. When determining the impact of an incident you must take into account:
- the number of users affected by the incident, in particular those relying on the service for the provision of their own services;
- the duration of the incident;
- the geographical spread with regard to the area affected;
- the extent of the disruption of the functioning of the service; and
- the extent of the impact on economic and societal activities.
You must also have regard to the incident thresholds we set out in this guidance.
Article 3 of the DSP Regulation provides further details on how you should consider factors such as number of users, duration, and extent of the disruption. Additionally, Article 3(6) says that when considering these factors, RDSPs:
‘shall not be required to collect additional information to which they do not have access’
It is important to note that these requirements only apply to RDSPs. If you are an OES, you should consult any relevant incident notification guidance from your competent authority.
What does the ‘number of users affected’ mean?
Article 3(1) of the DSP Regulation requires you to be in a position to estimate:
- the number of affected persons you have a contract with (this includes both individuals and organisations); or
- the number of affected users determined by reference to previous traffic data.
What does the ‘duration of the incident’ mean?
Article 3(2) of the DSP Regulation states that this refers to the period of time from the disruption of the service until its recovery.
You must assess the disruption on the basis of availability, authenticity, integrity and confidentiality of the digital data you process.
What does the ‘geographical spread with regard to the area affected’ mean?
Article 3(3) of the DSP Regulation clarifies that this refers to your ability to identify whether the NIS incident affects the provision of your services in other specific areas of the United Kingdom.
In practice, your service may be available UK-wide and therefore this factor may not always be relevant. However, if you provide digital services on a more local scale, you should assess the extent to which the incident affects the provision of your service in the areas you offer it.
What does the ‘extent of the disruption’ mean?
Article 3(4) of the DSP Regulation requires you to be able to measure whether the NIS incident has impaired one or more of the following:
- the availability of data or related services;
- the authenticity of data or related services;
- the integrity of data or related services; and
- the confidentiality of data or related services.
What does the ‘extent of the impact’ mean?
Article 3(5) of the DSP Regulation requires you to be able to conclude whether the incident has:
‘caused significant material or non-material losses for the users in relation to health, safety, or damage to property.’
You should reach this conclusion by indications such as the nature of your contractual relations with your customers (ie the type of customer your digital service serves) and, where appropriate, the potential number of affected users.