At a glance
- You are required to notify the ICO of any incident that has a substantial impact on the provision of your services.
- When assessing whether you need to notify, you have to take into account a number of factors, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
- The DSP Regulation provides further details on thresholds and parameters relating to these factors.
- You must notify the ICO without undue delay and not later than 72 hours of becoming aware of any incident, where feasible.
- We have developed a reporting tool that you can use to notify us of NIS incidents. You should also consider notifying the National Cyber Security Centre at the same time.
- What is a NIS incident?
- Is a NIS incident the same as a GDPR personal data breach?
- When must we notify the ICO of a NIS incident?
- What information must we provide?
- How do we determine if we need to notify?
- What does the ‘number of users affected’ mean?
- What does the ‘duration of the incident’ mean?
- What does the ‘geographical spread with regard to the area affected’ mean?
- What does the ‘extent of the disruption’ mean?
- What does the ‘extent of the impact’ mean?
- What are the ‘situations described in Article 4’ of the DSP Regulation?
- What if the incident meets none of these thresholds?
- Do we need to notify anyone else?
- Do we need to notify the public?
- We’re an OES that is reliant on a digital service – what are the notification requirements?
Regulation 1(1) of NIS defines an ‘incident’ as:
‘Any event having an actual adverse effect on the security of network and information systems.’
Read in conjunction with the definition of ‘security of network and information systems’, this is broadly in line with existing standards in information security, such as the definition of ‘incident’ within NIST Special Publication 800-53:
‘An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system’
Not necessarily. NIS concerns computer systems and the digital data stored and processed within them. The GDPR concerns the processing of personal data.
The digital data is that which is connected to the operation, use and maintenance of your digital service. However, this may include personal data. Also, the NIS incident may itself lead to a personal data breach, depending on the type of attack. The NIS incident may be the initial intrusion that disrupts your service, whilst the personal data breach could follow as a result of that intrusion.
In practice, it depends on the circumstances. However, if a personal data breach does occur, you have to notify the ICO under the GDPR, not NIS. Our NIS reporting tool allows you to specify whether personal data has also been compromised in an incident.
We have provided more information on the links between the GDPR and NIS in the next section of the guide.
In more detail – ICO guidance
Read the section of the guide on the relationship between NIS and the GDPR.
Our breach reporting page includes a reporting tool allowing you to notify us of any NIS incident. The tool also allows you to indicate if the incident also involved personal data.
You are required to notify the ICO of any incident without undue delay and not later than 72 hours of becoming aware of it. This broadly aligns with the reporting requirements for personal data breaches under the GDPR.
Only RDSPs are required to notify the ICO of a NIS incident. If you are an OES, you need to notify the competent authority for your sector.
Regulation 12(5) specifies that your notification must include:
- your organisation’s name and the types of digital service(s) you provide;
- the time the incident occurred;
- the incident’s duration;
- information about the incident’s nature and impact;
- information about any cross-border impact; and
- any other information that may assist the ICO.
The information about any cross-border impact must be sufficient to enable us to determine its significance.
We understand that in the immediate aftermath of an incident, you may not have all the necessary information required and will only learn this as your investigation unfolds. However, you still have to notify us that an incident has taken place. You can follow up with additional information resulting from your investigation as it becomes available and without undue delay.
We have developed a tool for you to use to report an incident. It includes fields to fill in with all of the above information.
You need to assess whether the incident caused a ‘substantial impact on the provision’ of your digital service(s) in order to decide if you need to notify.
Regulation 12(7) provides further details on how you can make this determination. This refers to provisions within Article 3 of the DSP Regulation. In short, when determining the impact of an incident you must take into account:
- the number of users affected by the incident, in particular those relying on the service for the provision of their own services;
- the duration of the incident;
- the geographical spread with regard to the area affected;
- the extent of the disruption of the functioning of the service;
- the extent of the impact on economic and societal activities; and
- whether one of the situations specified in Article 4 of the DSP Regulation has taken place.
Articles 3 and 4 of the DSP Regulation provide further details on how you should consider these factors. It is important to note that this only applies to RDSPs. If you are an OES, you have different factors to assess the impact of any incident.
Article 3(1) of the DSP Regulation requires you to be in a position to estimate:
- the number of affected persons you have a contract with (this includes both individuals and organisations); or
- the number of affected users determined by reference to previous traffic data.
Article 3(2) of the DSP Regulation states that this refers to the period of time from the disruption of the service until its recovery.
You must assess the disruption on the basis of availability, authenticity, integrity and confidentiality of the digital data you process.
Article 3(3) of the DSP Regulation clarifies that this refers to your ability to identify whether the NIS incident affects the provision of your services in other Member States – in other words, you need to determine if the incident has cross-border impact.
You are required to provide the ICO with sufficient information for us to assess the significance of any cross-border impact.
Article 3(4) of the DSP Regulation requires you to be able to measure whether the NIS incident has impaired one or more of the following:
- the availability of data or related services;
- the authenticity of data or related services;
- the integrity of data or related services; and
- the confidentiality of data or related services.
Article 3(5) of the DSP Regulation requires you to be able to conclude whether the incident has:
‘caused significant material or non-material losses for the users in relation to health, safety, or damage to property.’
You should reach this conclusion by indications such as the nature of your contractual relations with your customers (ie the type of customer your digital service serves) and, where appropriate, the potential number of affected users.
Importantly, under Article 3(6) of the DSP Regulation, for the purposes of the above, DSPs:
‘shall not be required to collect additional information to which they do not have access’