At a glance

  • If you are a relevant digital service provider, you are required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
  • NIS has specific obligations for these measures, which are further detailed by an EU implementing act, the ‘DSP Regulation’. This section of the guide provides more information about these requirements.
  • You must implement measures that cover the security of your systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards.
  • Many of these requirements align with the security provisions of the GDPR. It may also be the case that you are a data controller in any case, so the GDPR applies to you anyway.
  • You must maintain documentation to evidence your measures. This also aligns with the accountability principle of the GDPR, and its provisions on documentation. We can request to see these records during any investigation or inspection.

In brief

What are the security requirements?

Part 4 of NIS, and Regulation 12 in particular, outlines the obligations for RDSPs. These include the requirements of an EU Commission Implementing Regulation, known as the ‘DSP Regulation’, which provides specifics on a number of areas.

The primary requirement is detailed in Regulation 12(1). According to this, RDSPs must:

‘identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems’

According to Regulation 12(2), these measures must:

  • ensure a level of security appropriate to the risk posed;
  • prevent and minimise the impact of incidents affecting digital services; and
  • take account of the requirements of the DSP Regulation.

When determining your measures, you are allowed to consider the state of the art – this refers to the state of technological development; in other words, the type of security measures that are available to you. This is similar to the GDPR, however with NIS you are not allowed to consider the costs of implementation.

This section of the guide provides an overview of the security requirements for RDSPs. It is based on the DSP Regulation, which has direct effect. We will provide further detailed guidance on these requirements soon. In the meantime, you may find guidance from the European Union Agency for Network and Information Security (ENISA) may assist you.

Further reading

ENISA has published guidance on the technical security measures for digital service providers.

What considerations must RDSPs have?

Regulation 12(2)(c) outlines that when considering your security measures, you must:

‘take into account the following elements as specified in Article 2 of EU Regulation 2018/151:

(i) the security of systems and facilities;

(ii) incident handling;

(iii) business continuity management;

(iv) monitoring auditing and testing; and

(v) compliance with international standards.’

These refer to requirements from the DSP Regulation, which has direct effect. These requirements are detailed below.

What is meant by ‘security of systems and facilities’?

This refers to both the security of your network and information systems, and the physical environment of those systems.

As specified in Article 1(a) of the DSP Regulation, your measures in this area should cover the following:

  • systematic management of your network and information systems;
  • physical and environmental security measures;
  • security of supplies; and
  • access controls to systems.

These requirements align with the expectations of the security principle under the GDPR, although they differ by specifying a number of elements that RDSPs must take into account when implementing their measures. For example, under the GDPR (and if appropriate for your circumstances) we would already expect you to:

  • have an overall information security policy, along with specific organisational policies governing risk, data security, human resources, security of operations, encryption, etc., and ensure such policies are implemented by appropriate technical measures
  • take into account physical and environmental security when implementing appropriate technical and organisational measures;
  • have both technical and organisational access control systems in place to ensure that such access is authorised and restricted to those who need it.

These requirements also align to a number of areas of the Cyber Essentials scheme, particularly in respect of access controls.

What do we need to consider in terms of systematic management of our systems?

You should establish appropriate policies for managing information security, including:

  • risk analysis;
  • human resources;
  • security of operations;
  • security architecture;
  • secure data;
  • system lifecycle management; and
  • encryption, where applicable.

What do we need to consider in terms of physical and environmental security?

You should aim to implement a set of measures that protect your systems from damage. You need to address factors including system failure, human error, malicious action (external and internal) and natural phenomena.

What do we need to consider in terms of security of supplies?

You need to establish and maintain appropriate policies so that you know the accessibility and traceability of critical supplies.

What do we need to consider in terms of access controls?

You should have measures in place that ensure both physical and logical access is authorised and restricted based on business and security requirements. This is similar to the well-known ‘principle of least privilege’ – essentially, only those users who need access to a particular area of your premises, or a certain system, should have such access.

What is meant by ‘incident handling’?

Incident handling refers to your procedures for supporting the detection, analysis and containment of any incident, and your follow-up response. Article 2(2) of the DSP Regulation has a number of requirements for incident handling. These must include:

  • incident detection processes and procedures;
  • processes and policies on incident reporting;
  • incident response; and
  • incident assessment.

Again, these requirements also similar to what we expect from data controllers under the GDPR, although they differ by specifying a number of elements that RDSPs must take into account  For example, if you are a controller, we expect you to have (if appropriate for your circumstances):

  • appropriate security monitoring processes to detect anomalous behaviour and potential data breaches in a timely manner;
  • incident management policies and procedures, including incident handling and response, escalation and analysis;
  • a process for regular testing of the effectiveness of security measures, such as by way of vulnerability scanning and penetration testing, and then acting upon the results of such testing; and
  • documentation of previous incidents and the existence of a continuous improvement process.

What must we do in terms of incident detection?

You should aim to implement processes and procedures that allow you to have timely and adequate awareness of any anomalous events. You also need to maintain and test these processes.

What must we do in terms of incident reporting?

You should have processes and policies in place on how you will notify the ICO of any incident, and how you identify weaknesses and vulnerabilities within your systems, your environment and your security measures.

What must we do in terms of incident response?

You should ensure that you have an established procedure so that your organisation is able to respond to any incident in an appropriate manner. This should include reporting the results of such measures.

What must we do in terms of incident assessment?

If you suffer an incident, you should have processes in place to enable you to undertake a full assessment of its severity. This should cover incident analysis, collection of relevant information, and the use of this to support a continuous improvement process.

What is meant by ‘business continuity management’?

Article 2(3) of the DSP Regulation requires you to have the capability to maintain or restore the delivery of services to acceptable predefined levels following a disruptive incident. This relates to contingency planning and disaster recovery.

This provision is very similar to the GDPR, which obliges data controllers to have the ability to restore access to and availability of personal data following a physical or technical incident.

What must we do in terms of contingency planning?

You need to establish contingency plans to ensure the continuity of your service. You should base these on business impact analyses. You also need to test and assess your plans on a regular basis, eg through exercises.

What must we do in terms of disaster recovery?

You must have recovery capabilities, and be able to test and assess these on a regular basis.

What is meant by ‘monitoring, auditing and testing’?

Article 2(4) of the DSP Regulation requires you to establish and maintain policies and processes concerning systems assessment, inspection and verification.

What must we do in terms of systems assessment?

You must plan and conduct a sequence of observations or measurements to check whether your systems are operating as intended.

What must we do in terms of inspection and verification?

You need to check that:

  • your guidelines are being followed;
  • your records are accurate; and
  • any efficiency and effectiveness targets are being met.

What must we do about processes?

You need to design processes to reveal flaws in the security mechanisms of your systems. This has to include both technical processes, and those personnel involved in operations.

What about compliance with international standards?

The DSP Regulation does not lay down particular requirements for RDSPs in this area. Instead, Article 2(5) clarifies that the meaning of ‘standards’ in NIS refers to:

  • standards adopted by an international standardisation body as specified in Regulation 1025/2012; and/or
  • any European, national, or internationally-accepted standards and specifications relevant to the security of networks and information systems.

Examples of appropriate standards may include ISO/IEC 27001 on information security management systems and ISO/IEC 22301 on business continuity management systems, and any other related standards.

Further reading

You can access information on the ISO/IEC 27001:2013 and ISO/IEC 22301:2012 standards at the ISO online browsing platform.

Are there any documentation requirements?

Yes. The DSP Regulation requires you to ensure that you have ‘adequate’ documentation available to demonstrate compliance with the above security elements. You will also need to make this documentation available to the ICO if we need to verify your compliance, eg during the investigation of an incident or a follow-up inspection.

If you do not have the required documentation, we can undertake regulatory action against you.

Requirement checklist

Security of systems and facilities

 ☐ We undertake systematic management of our network and information systems, and implement policies and procedures on:
  Risk analysis
  Human resources
  Security of operations
  Security architecture
  Secure data
  System lifecycle management
We implement physical and environmental security measures to protect our systems from damage, covering:
  Encryption (where applicable/appropriate)
  System failure
  Human error
  Malicious action
  Natural phenomena
We establish and maintain appropriate policies to ensure the security of supplies, including: 
  Accessibility of critical supplies
  Traceability of critical supplies

We implement measures to ensure physical and logical access is restricted according to business needs, including:  

  Implementing the principle of least privilege
  Where necessary, establishing secure areas.

Incident handling

 ☐ We have established incident detection processes and procedures to:
  Ensure timely and adequate awareness of anomalous events
  Testing and maintenance
We have established incident reporting processes and procedures to:
  Ensure we notify the ICO and other relevant organisations, eg the NCSC
  Identify weaknesses in systems and security measures. 
We have established processes and procedures to:
  Ensure an appropriate incident response
  Test this response and report on the results
We have established incident assessment processes and procedures including:
  Incident analysis
  Collection of relevant information
  A continuous improvement process

Business continuity management

 ☐ We ensure that we have the ability to maintain/restore services to acceptable pre-defined levels by means of contingency planning and disaster recovery
  We conduct business impact analyses and use the results to establish contingency plans
  We test and assess such plans, eg through exercises
  We establish recovery capabilities
  We test and assess these capabilities, eg through exercises

Monitoring, auditing and testing

 ☐ We establishing policies concerning systems assessment, inspection and verification, including:
  Observations to assess systems are operating as intended
  Verification that guidelines are being followed
  Ensuring records are accurate
  Ensuring that efficiency and effectiveness targets are met.

Compliance with international standards

 ☐ Where appropriate, we follow accepted international standards such as ISO 27001 and/or ISO 22301