The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • You are required to notify the ICO of any incident that has a substantial impact on the provision of your services.
  • When assessing whether you need to notify, you have to take into account a number of factors, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
  • The DSP Regulation provides further details on thresholds and parameters relating to these factors.
  • You must notify the ICO without undue delay and not later than 72 hours of becoming aware of any incident, where feasible.
  • We have developed a reporting tool that you can use to notify us of NIS incidents. You should also consider notifying the National Cyber Security Centre at the same time.

In brief

What is a NIS incident?

Regulation 1(1) of NIS defines an ‘incident’ as:

‘Any event having an actual adverse effect on the security of network and information systems.’

Read in conjunction with the definition of ‘security of network and information systems’, this is broadly in line with existing standards in information security, such as the definition of ‘incident’ within NIST Special Publication 800-53:

‘An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system’

Is a NIS incident the same as a GDPR personal data breach?

Not necessarily. NIS concerns computer systems and the digital data stored and processed within them. The GDPR concerns the processing of personal data.

The digital data is that which is connected to the operation, use and maintenance of your digital service. However, this may include personal data. Also, the NIS incident may itself lead to a personal data breach, depending on the type of attack. The NIS incident may be the initial intrusion that disrupts your service, whilst the personal data breach could follow as a result of that intrusion.

In practice, it depends on the circumstances. However, if a personal data breach does occur, you have to notify the ICO under the GDPR, not NIS. Our NIS reporting tool allows you to specify whether personal data has also been compromised in an incident.

We have provided more information on the links between the GDPR and NIS in the next section of the guide.

In more detail – ICO guidance

Read the section of the guide on the relationship between NIS and the GDPR.

 

Further reading

Our breach reporting page includes a reporting tool allowing you to notify us of any NIS incident. The tool also allows you to indicate if the incident also involved personal data.

When must we notify the ICO of a NIS incident?

You are required to notify the ICO of any incident without undue delay and not later than 72 hours of becoming aware of it. This broadly aligns with the reporting requirements for personal data breaches under the GDPR. 

Only RDSPs are required to notify the ICO of a NIS incident. If you are an OES, you need to notify the competent authority for your sector.

What information must we provide?

Regulation 12(5) specifies that your notification must include:

  • your organisation’s name and the types of digital service(s) you provide;
  • the time the incident occurred;
  • the incident’s duration;
  • information about the incident’s nature and impact;
  • information about any cross-border impact; and
  • any other information that may assist the ICO.

The information about any cross-border impact must be sufficient to enable us to determine its significance.

We understand that in the immediate aftermath of an incident, you may not have all the necessary information required and will only learn this as your investigation unfolds. However, you still have to notify us that an incident has taken place. You can follow up with additional information resulting from your investigation as it becomes available and without undue delay.

We have developed a tool for you to use to report an incident. It includes fields to fill in with all of the above information.

How do we determine if we need to notify?

You need to assess whether the incident caused a ‘substantial impact on the provision’ of your digital service(s) in order to decide if you need to notify.

Regulation 12(7) provides further details on how you can make this determination. This refers to provisions within Article 3 of the DSP Regulation. In short, when determining the impact of an incident you must take into account:

  • the number of users affected by the incident, in particular those relying on the service for the provision of their own services;
  • the duration of the incident;
  • the geographical spread with regard to the area affected;
  • the extent of the disruption of the functioning of the service;
  • the extent of the impact on economic and societal activities; and
  • whether one of the situations specified in Article 4 of the DSP Regulation has taken place.

Articles 3 and 4 of the DSP Regulation provide further details on how you should consider these factors. It is important to note that this only applies to RDSPs. If you are an OES, you have different factors to assess the impact of any incident.

What does the ‘number of users affected’ mean?

Article 3(1) of the DSP Regulation requires you to be in a position to estimate:

  • the number of affected persons you have a contract with (this includes both individuals and organisations); or
  • the number of affected users determined by reference to previous traffic data.

What does the ‘duration of the incident’ mean?

Article 3(2) of the DSP Regulation states that this refers to the period of time from the disruption of the service until its recovery.

You must assess the disruption on the basis of availability, authenticity, integrity and confidentiality of the digital data you process.

What does the ‘geographical spread with regard to the area affected’ mean?

Article 3(3) of the DSP Regulation clarifies that this refers to your ability to identify whether the NIS incident affects the provision of your services in other Member States – in other words, you need to determine if the incident has cross-border impact.

You are required to provide the ICO with sufficient information for us to assess the significance of any cross-border impact.

What does the ‘extent of the disruption’ mean?

Article 3(4) of the DSP Regulation requires you to be able to measure whether the NIS incident has impaired one or more of the following:

  • the availability of data or related services;
  • the authenticity of data or related services;
  • the integrity of data or related services; and
  • the confidentiality of data or related services.

What does the ‘extent of the impact’ mean?

Article 3(5) of the DSP Regulation requires you to be able to conclude whether the incident has:

‘caused significant material or non-material losses for the users in relation to health, safety, or damage to property.’

You should reach this conclusion by indications such as the nature of your contractual relations with your customers (ie the type of customer your digital service serves) and, where appropriate, the potential number of affected users.

Importantly, under Article 3(6) of the DSP Regulation, for the purposes of the above, DSPs:

‘shall not be required to collect additional information to which they do not have access’

What are the ‘situations described in Article 4’ of the DSP Regulation?

Article 4 of the DSP Regulation describes a number of ‘situations’ or parameters where you could consider an incident as having a ‘substantial impact’. You should use these when determining the impact of any incident:

  • Your service was unavailable for more than 5 million user hours, where the term ‘user hour’ refers to ‘the number of affected users in the Union for a duration of 60 minutes’.
  • The incident resulted in a loss of integrity, authenticity or confidentiality of ‘stored or transmitted or processed data’ or ‘the related services offered by or accessible via’ the DSP’s systems, and this loss affects more than 100,000 users in the Union.
  • The incident has ‘created a risk to public safety, public security or of loss of life’.
  • The incident has ‘caused material damage to at least one user in the Union’, where the damage to that user exceeds €1m.

An incident is considered substantial when at least one of the above has taken place.

It is important to understand that if the NIS incident results in a personal data breach, the above factors and thresholds do not apply. Essentially, the incident may not meet any of the thresholds above, but if personal data was compromised, you need to assess whether this could result in a risk to the rights and freedoms of individuals.

If that is the case you are required to notify the ICO of a personal data breach, even if you may not have to tell us about the NIS incident.

In more detail – ICO guidance

Read our guidance on personal data breaches in the Guide to the GDPR.

What if the incident meets none of these thresholds?

You are only required to notify the ICO if the above thresholds are met. However, we encourage you to provide voluntary notification reports of other incidents.

Do we need to notify anyone else?

Although the ICO is required to share incident notifications with the National Cyber Security Centre, you should consider voluntarily reporting the incident to them as well, particularly if you determine that you will require the NCSC’s support to manage the incident.

The NCSC will provide advice, guidance, and (depending on resources) support for incidents that:

  • may result in significant loss of data critical to the ongoing operation of your organisation;
  • disrupt essential services (if you are providing a digital service for an OES); or
  • indicate unauthorised access to, or the installation of malicious software on, key systems where you are unable to resolve these issues yourselves.

If you require this level of support, you should mark your report as ‘FOR ACTION’.

Our incident reporting tool provides further information on how you can notify the NCSC, including instances where you may not require direct support but wish to inform them of an incident so they can provide wider advice on cyber threats.

Depending on the nature of the incident, you may also wish to notify other organisations such as the National Crime Agency and Action Fraud.

Do we need to notify the public?

We may take the view that public awareness about a particular incident is necessary, eg for the public interest. In these cases we will consult with you first, but we may decide either to inform the public ourselves, or direct you to do so by means of an Enforcement Notice.

We will also consult the NCSC when making these decisions.

We’re an OES that is reliant on a digital service – what are the notification requirements?

If you are an OES and you rely upon an RDSP to provide your essential service, you must notify your competent authority about any significant impact on the continuity of your service that results from any incident affecting your RDSP. The RDSP still has to notify the ICO.